Public Site Security

Security Policy

This page summarises the security measures currently applied to the public iBridge website, how security reports are handled, and the practical limits of a public-facing site. It is intended as an operational overview, not a substitute for internal security standards.

Last updated: March 10, 2026 Applies to the public iBridge website and related enquiry paths

Security Principles

  • Keep the public website informational and separate from staff-only tools.
  • Reduce unnecessary third-party processing on first page load.
  • Require explicit consent before optional analytics or embedded third-party media loads.
  • Use defence-in-depth across validation, monitoring, access control, and operational review.

Public-Site Controls

  • Segregation between the public site and staff-facing systems.
  • Input validation and sanitisation on public form handling paths.
  • Restrictive framing and referrer controls where platform behaviour allows them.
  • Consent-gated loading of optional analytics and third-party embeds.
  • Operational monitoring, error tracking, and incident review on backend-supported endpoints.

Form and Abuse Protection

Public forms are being hardened with consent checks, required-field validation, anti-abuse measures, rate-limit safeguards, and backend-ready audit logging. Suspicious or malformed submissions may be blocked, ignored, or logged for review.

Authentication Boundaries

The staff portal, intranet, ticketing, LMS, and restricted operational tools are treated as separate access-controlled environments. Public pages do not expose those systems directly and should not be used as a route to bypass authentication.

Security Reporting

If you identify a potential issue on the public site, email info@ibridge.co.za with the page URL, time observed, browser or device used, and any screenshots or reproducible steps.

Do not attempt intrusive testing, denial-of-service activity, or unauthorised access. Responsible reporting is expected.

Incident Handling

Website security events are reviewed, triaged, and retained according to operational needs. Where a personal-information compromise triggers POPIA obligations, the applicable notification process will be followed.

Platform Limits

Some security controls depend on the final hosting platform. Static hosting environments can limit direct control over headers, WAF rules, advanced bot management, and centralised monitoring. Additional hardening is expected at final production deployment.

Related Governance Pages

Security on the public site works together with the Privacy Notice, Cookie Notice, Compliance page, and Accessibility Statement.