Security

Warrant canary

We publish a signed warrant canary at /warrant-canary.txt, with the detached signature at /warrant-canary.txt.sig. It is refreshed daily by a NixOS systemd timer outside the Astro build. If the canary is missing or older than 48 hours, treat that as a public warning signal.

Content signing

Published pages, RSS and sitemaps are signed at build time with an OpenSSH Ed25519 key. The public key is available at /.well-known/saltire-signal.pub and in DNS at _provenance.saltiresignal.co.uk.

Takedown route

Publishers, named individuals and legal representatives can use the takedown route. We aim to acknowledge and make an initial decision within 24 hours, with legal and safety complaints handled first.

Editorial standards

Our standards code covers attribution, corrections, complaints, sponsored content, Scottish court-reporting rules and sensitive subjects. We do not host user comments in the launch phase.

Contact

Security reports can be sent to security@saltiresignal.co.uk. The machine-readable policy is published at /.well-known/security.txt.