Sample pack · A

stripe.com

Audit-ready — strong email + transport posture

Summary

Stripe runs an enforced email-authentication stack (DMARC p=reject, SPF, multiple DKIM selectors) and modern TLS across api.stripe.com. Security headers on the marketing surface are well-configured. A representative pack for what a mature payments platform looks like under the same 15-check methodology.

Highlights from the scan

DMARCp=reject with aggregate reporting
SPFsingle record, under the 10-lookup limit
TLSTLS 1.3, modern cipher suite, valid chain
HeadersHSTS preloaded, strong CSP on marketing pages

Download the pack

Signed pack for stripe.com, generated against the live posture at the time the founder ran the build script. Verify the Ed25519 signature against /.well-known/evidence-pack-pubkey.pem.

Download PDF →Download JSON sidecar

See it live

The same 15-check methodology is also available on-demand at /d/stripe.com.

← All sample packs

Methodology v1 — the exact rules used to produce this pack.