Security & Privacy
This page explains how Security Now CPE works, what data it collects, where it lives, and the technical measures in place to protect it.
How the site works
Security Now CPE lets you take quizzes on Security Now podcast episodes and earn verifiable certificates you can submit as Continuing Professional Education (CPE) credit with ISACA, (ISC)2, and similar organizations.
The quiz flow is straightforward:
- You pick an episode from the list and enter your name and email address.
- You answer five questions generated from the official episode transcript.
- If you score 4 out of 5 (80%) or better, a certificate is generated on the server and returned to your browser.
- The certificate includes a unique verification link and QR code that anyone (your certification body, an auditor) can use to confirm the certificate is genuine.
- Your completed certificate is saved to your browser's local storage so you can retrieve it later from the My Data page.
What data is collected and where it lives
Your browser (local storage only)
Your name, email address, theme preference, and certificate records are stored exclusively in your browser's local storage. They are never transmitted to or stored on this server in identifiable form.
Local storage keys written by this site:
| Key | Contents | When set |
|---|---|---|
quiz_name | Your name as you typed it | When you fill in the name field before a quiz |
quiz_email | Your email address | When you fill in the email field before a quiz |
quiz_theme | "light" or "dark" | When you toggle the theme switch |
sncpe_certs | JSON object of completed certificates (episode number, title, score, date, duration, verify URL) | Each time you pass a quiz |
You can delete all of this at any time using the Clear Local Data link in the footer or on the My Data page.
The server
The server stores only what is necessary to run the quizzes:
- Episode metadata: episode number, title, air date, and length in minutes (sourced from GRC.com public pages)
- Quiz questions and an encrypted answer key for each episode
- Nothing else. No names, no email addresses, no IP address logs, no analytics.
When you submit a quiz, your name and email travel to the server over HTTPS to compute the certificate hash and build the verification URL. They are used only for that computation and are not written to any database, log file, or third-party service.
How certificates are verified without storing your data
This is the core privacy design. Most certificate systems store records on a server and look them up by name or ID. This site does not do that.
Instead, every certificate carries its own proof of authenticity in its verification URL. Here is how it works step by step:
Certificate hash
When you pass a quiz, the server computes a SHA-256 hash over these fields, joined with a pipe character:
episode_number | episode_title | your_name | your_email | score_percent | server_secret
The server secret is a long random string stored in the server configuration. Without it, no one can forge a hash for a given set of inputs. SHA-256 is a one-way function: the hash cannot be reversed to recover your name or email.
Verification payload
The verification URL also contains an encrypted payload carrying your name, email, score, timestamp, episode number, and an HMAC signature. The payload is encrypted with AES-256-GCM using a key derived from the same server secret. The HMAC signature (SHA-256) covers all the certificate fields and prevents tampering.
When someone opens the verification URL, the server decrypts the payload, re-derives the expected certificate hash from the decrypted fields, and compares it to the hash in the URL using a constant-time comparison. If they match, and the HMAC signature is valid, the certificate is genuine. No database lookup is required at any point.
What this means for privacy
A third party who obtains the verification URL can confirm that a real certificate was issued for a specific episode, score, and timestamp. They cannot do anything further with it: the name and email inside the encrypted payload are only decryptable by the server, and the server does not store them.
Sessions and cookies
The site uses a single PHP session cookie (named PHPSESSID by default) for two purposes only:
- Storing a CSRF token that protects every form submission against cross-site request forgery
- Tracking admin authentication state when the admin panel is in use
The session cookie is set with HttpOnly, Secure (HTTPS-only), and SameSite=Strict flags. It expires when you close your browser. No other cookies are set.
Transport and infrastructure security
Every page is served over HTTPS. HTTP requests are redirected with a 301 before any content is delivered. The following security headers are sent on every response:
| Header | Value and purpose |
|---|---|
Strict-Transport-Security | Forces HTTPS for one year, including subdomains |
Content-Security-Policy | Restricts scripts, styles, images, and frames to known safe sources; blocks inline evaluation; prevents clickjacking |
X-Content-Type-Options | Prevents MIME-type sniffing |
X-Frame-Options | Prevents the site from being embedded in an iframe |
Referrer-Policy | No referrer information sent to external sites |
Permissions-Policy | Disables access to geolocation, microphone, and camera |
Rate limiting
Quiz submissions are rate-limited per IP address to prevent automated abuse. Excessive requests return a 429 response. Rate limit state is stored in temporary files on the server and expires automatically; no persistent record of your IP is kept.
Third-party services
This site makes limited use of two external services:
| Service | Used for | What is shared |
|---|---|---|
| quickchart.io | Generating QR code images on certificate pages | The verification URL is embedded in the QR code request. No personal information is sent separately. |
| Cloudflare Turnstile | Optional bot protection on the certificate verification page | Cloudflare's standard Turnstile data; see Cloudflare's privacy policy |
There are no analytics scripts, no advertising networks, no social media tracking pixels, and no other third-party code on this site.
Your rights and data portability
Because no personal data is stored on the server, there is nothing to delete on request and nothing to export from the server side. Everything the site knows about you lives in your own browser.
From the My Data page you can:
- See exactly what is stored in local storage
- Download your full certificate transcript as XML or CSV
- Delete everything with the Clear Local Data button
Open questions and contact
This is a hobby project. If you have questions about how any of this works, found a security issue, or have concerns about how the site uses the Security Now name and content, please reach out.