Last updated: July 11, 2026.emrcheck.com is a static site served over Cloudflare's network. The controls below are applied to every route.
Transport and browser-hardening controls
- HTTPS everywhere with HSTS. All traffic is served over TLS, and a Strict-Transport-Security header (two-year max-age, includeSubDomains, preload) instructs browsers to refuse insecure connections.
- Content-Security-Policy. A CSP restricts which origins may load scripts, styles, images, frames, and connections, with object-src 'none' and base-uri 'self'.
- Frame denial / clickjacking protection. X-Frame-Options: DENY and frame-ancestors 'none' prevent the site from being embedded in other pages.
- MIME-sniffing protection. X-Content-Type-Options: nosniffstops browsers from re-interpreting a response's declared type.
- Referrer policy. Referrer-Policy: strict-origin-when-cross-origin limits what referrer data leaves the site.
- Permissions policy. Camera, microphone, and geolocation are disabled via Permissions-Policy.
Application controls
- Bot and spam protection. The contact form is protected by Cloudflare Turnstile and server-side rate limiting.
- No PHI by design. The contact form is not a channel for protected health information; submissions are delivered by email for the sole purpose of responding to your inquiry.
Data handling
We collect only what a submission requires and share case specifics through a secure channel after we connect, under a Business Associate Agreement (BAA) where appropriate. See the Privacy Policy for what is collected, how long it is kept, and how to request deletion.
Incident response
If we become aware of a security incident that affects information you have provided, we will investigate, take reasonable steps to contain and remediate it, and notify affected parties as required by applicable law.
Reporting a vulnerability
Please report suspected vulnerabilities privately to gagan@emrcheck.com. Our machine-readable policy is published at /.well-known/security.txt. Do not include PHI or personal data in a report, and do not attempt denial-of-service, data exfiltration, or testing against third-party services.
This page describes current practices and is provided in good faith; it is not a warranty or guarantee of security. It is not legal advice.