Skip to content
Tallyfy

HSTS compliance

HSTS forces your browser to use encrypted connections only. It blocks any attempt to connect to Tallyfy without HTTPS - even if someone tricks you into clicking an http:// link, your browser upgrades it automatically.

How does HSTS work?

When you first visit Tallyfy over HTTPS, your browser receives a Strict-Transport-Security header. This tells the browser: “Always use encryption with Tallyfy - no exceptions.”

Your browser remembers this for one year1. Even if you type http:// instead of https://, the browser catches it before sending any data.

How does Tallyfy use HSTS preloading?

Tallyfy is on the HSTS preload list2 - hardcoded into Chrome, Firefox, Safari, and other major browsers. Your browser already knows to use HTTPS with Tallyfy before you even visit for the first time. There’s no window of vulnerability. Not even for a millisecond.

What attacks does HSTS prevent?

  • SSL stripping3: Attackers try to downgrade your connection to plain HTTP. HSTS blocks this - your browser upgrades to HTTPS before any data leaves your device.
  • Man-in-the-middle exploits: Someone sitting between you and Tallyfy, pretending to be us? Your browser won’t accept anything but a verified, encrypted connection.
  • Session hijacking: Login cookies and authentication tokens only travel over encrypted channels. No exceptions. This matters most on public Wi-Fi, where attackers commonly try to intercept traffic.
  • Eavesdropping: Every click, form submission, and document you view is encrypted. Network admins, ISPs, and nearby devices can’t see what you’re doing in Tallyfy.

What are HSTS requirements?

Tallyfy meets all seven requirements for proper HSTS:

  1. Valid TLS/SSL certificate - proves you’re connecting to the real Tallyfy, not an imposter.
  2. Automatic HTTPS redirection - any HTTP request gets redirected to HTTPS instantly, so you receive the HSTS header through a secure connection.
  3. All resources over HTTPS - every image, script, and resource loads over HTTPS. No mixed content.
  4. Secure header delivery - the HSTS header is only sent over HTTPS. Sending it over HTTP would let attackers modify it.
  5. One-year minimum max-age - browsers remember the HSTS policy for at least a year, so you’re protected even after months away.
  6. All subdomains covered - whether you’re on app.tallyfy.com or go.tallyfy.com, HSTS applies everywhere. The includeSubDomains directive covers them all.
  7. Preload list inclusion - Tallyfy is hardcoded into browsers, so new users get protection before their first visit.

Miscellaneous > Terms & legals

Tallyfy maintains SOC 2 Type 2 attestation, GDPR compliance, HSTS security, BIMI email standards, custom data processing agreements, encryption, multi-layer API protection, and AWS GovCloud hosting options to meet regulatory and enterprise requirements.

Pro > Compliance

Tallyfy holds SOC 2 Type 2 certification with rolling three-month audits and provides bank-level encryption (TLS 1.2+ and AES-256) along with immutable audit trails and SSO enforcement to serve regulated industries like financial services and healthcare and manufacturing that need documented proof of who did what and when.

Miscellaneous > Differentiation

What makes Tallyfy different from other workflow vendors - free lifetime support, transparent pricing, enterprise security, and AI-native architecture.

Footnotes

  1. Max-age value of 31536000 seconds (one year) in the Strict-Transport-Security header

  2. A Google-maintained list of sites hardcoded into browsers, eliminating first-visit vulnerability

  3. Attack technique that forces HTTPS connections to downgrade to unencrypted HTTP

Get in touch
About Tallyfy