At HotelCrux, we are committed to maintaining the security and confidentiality of our user’s personal and sensitive information. We have implemented several measures to ensure the security of our website and systems. In this security policy, we outline the steps we have taken to protect our website and our users’ data.
We have implemented a number of measures to enhance our cybersecurity posture and ensure compliance with relevant regulations and standards. These measures include security and regulatory frameworks such as ISO 27001, the GDPR, the NIST Cybersecurity Framework (CSF), and the SANS Critical Security Controls (CSC), as well as web security measures such as DNSsec, hashing for data integrity and security, and the addition of security headers.
Adoption of SANS Critical Security Controls (CSC)
We have adopted the SANS Critical Security Controls (CSC) as part of our security policy in order to enhance our defenses against cyber threats. The CSC provide a set of recommended actions that we follow in order to protect our systems and data from potential vulnerabilities and attacks. These controls cover a wide range of areas including asset management, incident response, and network security, and help us to ensure the confidentiality, integrity, and availability of our systems and data. By following the CSC, we can effectively manage and reduce cybersecurity risks and maintain a strong security posture.
Implementation of NIST Cybersecurity Framework (CSF)
We have implemented the NIST Cybersecurity Framework (CSF) to enhance our cybersecurity posture and protect against cyber threats. The CSF provides a set of guidelines and best practices that we follow to manage and reduce cybersecurity risks. It covers a wide range of areas including asset management, incident response, and network security. Adhering to the CSF helps us to ensure the confidentiality, integrity, and availability of our systems and data.
Adherence to ISO 27001
We have implemented policies, procedures, and controls to ensure that our systems and processes are secure and compliant with this international standard for information security management.
Implementation of GDPR guidelines
We have implemented measures to ensure compliance with the General Data Protection Regulation (GDPR) and to protect and handle our users’ data in accordance with these guidelines.
Web Security Measures
Hashing for Data Integrity and Security
To ensure the security and integrity of the code on our website, we employ hashing to protect all scripts. Hashing is a process that takes data and converts it into a unique, fixed-size value called a hash. This allows us to verify the integrity of our scripts without storing the actual data.
To encrypt our scripts, we use the SHA-256 (Secure Hash Algorithm 256-bit), a widely-used and secure hashing algorithm that makes it difficult for attackers to alter the scripts without being detected.
Implementation of robust website security measures
We have implemented several security headers in our raw header files to help protect our website and our users’ data, including:
- HTTP/2: This protocol enables faster and more secure communication between our website and users’ browsers.
- Content-Security-Policy: This header helps to prevent cross-site scripting (XSS) attacks by specifying which domains are allowed to load resources on our website.
- Permissions-Policy: This header allows us to specify which browser features (e.g., camera, microphone, geolocation) are allowed to be used on our website.
- Referrer-Policy: This header controls which referrer information is included in HTTP requests sent from our website.
- X-Content-Type-Options: This header prevents browsers from interpreting files as something other than what they are, which can help to prevent XSS attacks.
- X-Frame-Options: This header prevents our website from being displayed in a frame or iframe, which can help to prevent clickjacking attacks.
- Feature-Policy: This header allows us to specify which browser features (e.g., camera, microphone, geolocation) are allowed to be used on our website.
- X-XSS-Protection: This header enables the browser’s XSS protection, which helps to prevent XSS attacks.
- Strict-Transport-Security: This header tells the browser to only communicate with our website over a secure connection (HTTPS).
- Expect-CT: This header allows us to specify certificate transparency requirements for our website.
- X-Permitted-Cross-Domain-Policies: This header specifies which policies are allowed for cross-domain communication.
Use of DNSsec
By implementing DNSsec, we can ensure the authenticity and integrity of our DNS records. These records contain important information that directs traffic to the correct website or server. Using DNSsec allows us to verify that the DNS records have not been tampered with or altered, helping to protect our website and the data of our users.
Additionally, DNSsec can help to prevent certain types of cyber attacks, such as DNS spoofing and cache poisoning, by using cryptographic signatures to verify the authenticity of DNS records.
To ensure the confidentiality of sensitive information, we have implemented encryption. In addition to encryption, we also use secure communication methods wherever available to further protect sensitive information. This includes using secure protocols for email and messaging, as well as secure connections for accessing and transferring data.
If you have any security concerns or need to report a vulnerability, you can use the provided PGP key to communicate with us securely. Avoid encrypting the subject of your message to prevent potential issues with message processing.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBGNMc1ABCADXIN3XTabgukXxHHgYhtLZg6CGcPEN15ul5H1QCgKj/gNQrOop EGBViFI8WFVwqfHRYHW7YFxVIo9d9BcJtGyLuz2BJrgZjfry3RpArzo+WLFDBZKu Ai1q42L99jKUxi+L7e+51a7a6/Gbo1d/+d4cuargksWFPY5FgGqVKpdJ+Jx2oCYA wYgNUJJOiM16Ewuu2ehZFhgJEwKmjLataxHjetL3OsS94ktBtUZHVRYWaEIo8AM+ EMD+MLyc6Ve3V84NxgKi0oYNfoUSDjidi1FwUWEIh7in4QQnk0GUIuTihLmBPaYC GB7aXSEHpUlZ92mAEGixnwQprmndaHtjJCLpABEBAAG0K0hvdGVsY3J1eCBTZWN1 cml0eSA8c2VjdXJpdHlAaG90ZWxjcnV4LmNvbT6JAVQEEwEIAD4WIQSyeVMVpvmZ 4pKJaQbeMok7qpbregUCY0xzUAIbAwUJB4YfYAULCQgHAgYVCgkICwIEFgIDAQIe AQIXgAAKCRDeMok7qpbrer5UB/9YWrTejyM860tKx1dhl6LRJuHSQ6ZyNjkNvq/m Z6Lq2o6NvgfFBcxKIjVi4Kpjetme7MEkYbp+KVKpRqAYEvaTDuZGYi56KF1Y8Ctk esqVAgGSU8qtpZcgeRmLgsVgjHd6jciYZps+4P4mRYONVMfUaDis9E8cOFiJpIrj Y5IWpTLDzpYtLUBfAygWdQN/rjmL6IGNoMolER7cWIEpVFBiELUdriFACQmMAazp GbnjNwmzRPF79bGh3YPpX5RrJYlse4ulVFuB+PyLJyuyH+HYT40Nxt8EgY+WcgIL CMw1aupelCHz61GlXsK+wMfPlMYXNgTLr/2lB/Bm+02gPumVuQENBGNMc1ABCACz DWkNHYCVgOln3DvqbPUzP4bJ1edaof9eW5g8JtbSR19+7oWGu/GiwgsUh2GTYElj HX7tsE08bK3GfX8J5IUVlQWL0pOkiucdKZqoPBNH9eDUxclPaOn5oJlqs8JY7wmh mOfjuqVmr4QPbVBf7cuKI4ltn+V12a0pkTd1aAIpm9XetKDysB6u/PKPWNjqdARY TUCFA7O0LRuAlDE3auts4WTIxSYEGXcfahhgQIqlgy65pS1C+lz/suVjFb1ocKkG JdGJtqhsWxyOO9bz3cY4Kd8qotPcKlDZZslbCPmKpv5ttNjxG1vVLEdQM40dWFac vAHqSy4WPKQyxW4hpoVdABEBAAGJATwEGAEIACYWIQSyeVMVpvmZ4pKJaQbeMok7 qpbregUCY0xzUAIbDAUJB4YfYAAKCRDeMok7qpbreqV8B/9W4VhvEoQNThe4CGTc XRebWGscIQR4WA6/DWv/EGfTknzZr7bXjLYQXTG1l1gmeE9i+Jj/Y4xe4tzKTA8J mqWbxtffalIqBGEFwL2BhGlsgU7GMg5RZeBqWxvQOXgYEP9wL3+feLJdyOjUif/x DPJhqe7Z0wqVQ8xLJV6IlWfZ9SyQTkXEDAFQAdIY+ZNevbrnbqbCbL8/vmEP/Us/ U+cuPMO5ROK8NXQePpABGoI3g4t/0myglh9Q8soggOxSFwXRWZdZkiW6I+DJALFP wJhx4GPipBqV62qhbpVybSfC56H6Iee1j0NzVaU8crLPJocUD5oQ7UzF1mJrFArf Q1SU =DAb5 -----END PGP PUBLIC KEY BLOCK-----
Fingerprint: B279 5315 A6F9 99E2 9289 6906 DE32 893B AA96 EB7A
Bug Bounty Program
We value the security and integrity of our website and systems and offer a bug bounty program to reward individuals who help us identify and fix vulnerabilities in our website. View our Bug Bounty Program for more information on how you can participate.
If you have any questions or concerns about our security policy or the measures we have implemented, please do not hesitate to contact us.