How we protect our network
CyberAdX operates an ad network for the cybersecurity industry. Our audience is security professionals — trust is non-negotiable. This page describes the controls we have in place to protect advertisers, publishers, and every visitor who encounters a CyberAdX placement.
Infrastructure
Edge-native, zero attack surface
All tracking, ad serving, and click routing runs on Cloudflare's global edge network as isolated serverless Workers. There are no traditional servers, no open ports, and no persistent processes. Each request is handled in an isolated runtime that terminates immediately after the response is sent.
Data at the edge
Event data and campaign configuration are stored in Cloudflare D1 and KV — neither is reachable from the public internet except through authenticated Worker endpoints. There is no exposed database connection string, no SSH access, and no admin panel accessible without our Zero Trust identity layer.
Publisher & Domain Verification
Allowlist-only collection
Our beacon collection endpoint only accepts events from a hardcoded list of approved publisher domains. Events claiming to originate from any unlisted domain are silently discarded before any data is written — preventing third parties from injecting fraudulent impression or pageview data.
Injector controls
The pixel is delivered to publisher pages through a Cloudflare Worker that rewrites HTML at the edge. It only operates on domains explicitly enrolled in the network, only rewrites HTML responses, and can be disabled network-wide instantly without a code deployment.
Bot & Fraud Protection
Invisible bot challenge on every ad request
Every request to our ad serving endpoint must pass an invisible Cloudflare Turnstile bot challenge before a campaign is selected and returned. Automated requests that cannot pass the challenge receive an empty response — no impression is counted, no creative is served. The challenge is invisible to human visitors — no CAPTCHA interaction is required.
Known crawler passthrough
Search engine crawlers, AI indexing bots, and SEO tools are identified and passed through the injector without modification — ensuring zero impact on publisher SEO or crawl coverage.
Per-visitor rate limiting
Event collection is rate-limited per visitor per property on a rolling window. Requests exceeding the threshold are silently dropped, preventing single IPs from flooding impression queues or artificially inflating engagement metrics.
Click Integrity
Cryptographically signed click tokens
Click URLs do not contain raw destination addresses. Every click URL embeds a tamper-evident token signed with a secret key held exclusively on our edge infrastructure. The token encodes the campaign, creative, publisher, and page at impression time. Altered, forged, or replayed tokens are rejected before any redirect is issued.
Short validity window
Click tokens expire within 24 hours of issue. Stale tokens are rejected regardless of signature validity — preventing indefinite token reuse from scraped pages or cached links.
No open redirects
Our click and affiliate routing endpoints only redirect to pre-registered campaign destinations or known affiliate network domains. Arbitrary URLs cannot be constructed or injected — the system does not function as an open redirect service.
Affiliate attribution integrity
The slug-based affiliate router resolves short slugs to destinations via a private lookup store. Attribution sub-IDs are injected server-side at redirect time and cannot be tampered with by the browser.
Admin Access & API Security
Cloudflare Zero Trust
All administrative interfaces are protected by Cloudflare Access (Zero Trust). Access requires authentication through our identity provider — no admin surface is reachable from the public internet without a valid session token. There is no username/password authentication path.
Authenticated webhooks
Automated integrations — internal dashboards, data sync pipelines, affiliate reporting — authenticate via a shared secret distinct from the admin session layer. All webhook endpoints validate this credential before executing any operation.
Visitor Privacy
No raw IP storage
Visitor IDs are never derived directly from IP addresses. Each day a new cryptographic salt is generated; visitor identifiers are computed as a one-way hash of the IP combined with that salt. The salt rotates daily — cross-day linkage of visitor activity is computationally infeasible.
DNT & GPC respected
Visitors signalling Do Not Track (DNT) or Global Privacy Control (GPC) are handled separately. Their events are written to aggregate analytics only and are never stored at the individual-session level.
Aggregate-only advertiser reporting
Advertisers receive campaign-level metrics only — impressions, clicks, and CTR. No individual visitor data, session records, or cross-site behaviour is shared with any advertiser.
What We Never Do
- ✕Set or read third-party cookies
- ✕Fingerprint browsers using canvas, font enumeration, or device APIs
- ✕Store raw IP addresses or persistent device identifiers
- ✕Share individual-level event data with advertisers
- ✕Serve ads on domains outside our publisher allowlist regardless of how requests are constructed
- ✕Use audience data collected on one property to retarget visitors on another
- ✕Sell or share publisher traffic data with any third party
Our Commitments
- ✓All tracking infrastructure runs within Cloudflare's SOC 2 Type II certified network
- ✓Event data is pruned on a rolling 30-day window — no indefinite raw event retention
- ✓Publisher pixel is open to inspection —
px.cyberadx.network/p.js - ✓Bot challenge enforced on every ad serve request
- ✓Click tokens cryptographically signed and time-limited
- ✓Admin access gated behind Cloudflare Zero Trust — no public login endpoint
Questions about our security posture?
Enterprise advertisers requiring infrastructure diagrams, data flow documentation, or a security review call are welcome to reach out directly.