Verify Security Overview

Security posture for the verify.attestlayer.com verification surface.

This page describes the Verify surface only: browser-side kit checking, public verification slug pages, public downloads, and public trust-material retrieval tied to verify.attestlayer.com.

Verification model

The default upload flow on Verify runs locally in the browser. That design reduces exposure because uploaded kits do not need to be transmitted to the Verify server for client-side validation.

Browser-side verification checks signatures, manifests, and trust material locally.
Public verification slugs expose only public-safe materials intended for reviewer access.
Verify depends on published issuer keys and registry trust material rather than a private reviewer session.

Service protections

Verify is delivered over HTTPS and protected with baseline browser security headers.
The service is read-only; it does not provide mutation endpoints for customer data or billing state.
Operational logging, request tracing, and abuse controls are used to protect availability.
Public keys and verification kits are fetched from AttestLayer-controlled public trust surfaces.

What Verify does not claim

Verify is not a compliance certification service.
It does not prove that the submitter's controls are effective beyond the cryptographic evidence actually presented.
It does not replace independent legal, procurement, or audit review.

Security reports for Verify should be sent through the Verify-specific disclosure page at /vulnerability-disclosure.

Verify is a public, read-only verification surface. It does not create a paid service relationship on its own.