www.sap-espresso.com

This domain is under defensive control by a security researcher. It was registered after Route 53 confirmed it had lapsed back to the registry, while still being referenced in the Content Security Policy of one or more production sites. The trust position is preserved — held safely — until the affected operators remove the reference.

Why you might be reading this

If a site you operate <script src>'s, fetch'es, sets a CSP report-uri at, or otherwise references www.sap-espresso.com, that reference now points at the researcher's server, not at the service it was originally configured for. The fix is to remove the reference (or repoint it at infrastructure you control) on every CSP and HTML template that lists it.

What runs here

A small Go server that returns benign content per CSP directive class — JavaScript that prints a single console message, CSS with one no-op custom property, a transparent 1×1 PNG, an inert SVG, etc. No data is captured beyond the standard access-log line (timestamp, IP, host, path, status, headers); no exploitation is attempted against any third-party application; no traffic is forwarded anywhere.

Researcher

• HackerOne: hackerone.com/splintersio
• X / Twitter: @yeahbutnahbut
• Ghosted (the scanner that surfaced this position): thecontractor.io/ghosted

This domain

• Report URL: https://hackerone.com/splintersio
• Report ID: pre-submission
• Researcher: splintersio
• Why registered: Defensively registered after Route 53 confirmed availability against a CSP trust position. PoC server returns benign content per directive class.

Takedown / contact

If you operate the affected origin (or this domain) and want the artifact removed or the trust position released, the HackerOne profile above accepts coordinated disclosure. The domain will be transferred, parked, or unbound at your direction.

No tracking. No third-party requests. View source — there is nothing else.