Security posture
Built as a small, protected utility for church QR links.
Holy Spirit QR Manager is intentionally simple. The public side only serves trust pages and QR redirects. Administration requires a username and password issued by an authorized admin.
Transport security
- HTTPS is required for the public site and admin dashboard.
- HTTP requests redirect to HTTPS through AWS CloudFront.
- The TLS certificate is issued for holyspiritqr.com and www.holyspiritqr.com.
- HSTS and common browser security headers are enabled.
Admin security
- No public registration is available.
- Users are created by an existing admin.
- Passwords are not stored in the frontend.
- Session cookies are HTTP-only, secure, and same-site.
Redirect policy
QR redirect links are maintained for church materials. Destination URLs are editable only by authenticated users. Archived QR links stop redirecting and show an inactive page.
Security contact
For security questions or abuse reports, contact Lutheran Church of the Holy Spirit through lchsemmaus.org/contact-us or call (610) 967-2220.
A machine-readable security contact file is available at /.well-known/security.txt.