Security

Security posture for the public Skool CRM surface

Skool CRM separates its public marketing surface from operational product and admin surfaces so discovery, authentication, and internal controls do not share the same indexing posture.

Architecture boundary

The landing site is statically exported and indexable. Product and admin surfaces are intentionally marked `noindex` and blocked in robots rules because they are operational environments rather than public acquisition pages.

Headers and browser controls

The public site ships with CSP, HSTS, referrer policy, permissions policy, frame protections, and MIME sniffing protection through static headers.

Disclosure channel

Report security issues to [email protected]. Critical reports are reviewed the same business day.