Security & Network Information
For IT and security teams reviewing 401kHunter for allowlist purposes. Last updated May 2026.
What this site is
401kHunter is a B2B SaaS application for financial advisors and retirement-plan consultants. It surfaces and enriches data from public U.S. Department of Labor Form 5500 filings — the same public dataset used by industry tools like Judy Diamond and BrightScope. The product is operated by JSP Global Consulting LLC (a U.S. limited liability company). It does not handle ePHI, payment card data on-device, or any data subject to financial-account disclosure rules.
Security contact
Report a vulnerability or coordinate a disclosure: security@401khunter.com.
Machine-readable security policy (RFC 9116): /.well-known/security.txt.
Hosting & data
- Application hosted on Vercel (United States).
- Database hosted on Supabase (Postgres, United States region).
- Email delivery via Resend; SPF/DKIM/DMARC published on
401khunter.com. - Source data: public DOL Form 5500 filings. No scraping, no proprietary or restricted data sources.
Security posture
- TLS everywhere (HSTS with
includeSubDomains; preload). - Content-Security-Policy enforced — no inline scripts from untrusted origins, no embedding via
frame-ancestors 'none'. - X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, restrictive Permissions-Policy.
- Marketing pixels (Google, Meta, LinkedIn) load only after explicit cookie consent. Without consent, no third-party advertising request leaves the browser.
- Authentication via Supabase Auth (server-side session, httpOnly cookies). Sensitive admin routes are gated by both middleware and per-route checks.
Domains loaded by this app
The following are the only third-party origins the application talks to from the browser. If your egress proxy blocks unknown domains, allowlisting the “always” rows is enough for full functionality; the “consent-only” rows are optional and never requested unless the user accepts marketing cookies.
Always
| Domain | Purpose |
|---|---|
| www.401khunter.com | Main application + API + same-origin tunnel for error monitoring (/monitoring). |
| *.supabase.co (https + wss) | Authentication, database access, realtime subscriptions (Supabase). |
| us.i.posthog.com / *.posthog.com | Product analytics (PostHog) — pageviews, feature usage. No PII beyond user id/email when signed in. |
| *.ingest.sentry.io / *.ingest.us.sentry.io | Error monitoring (Sentry). Most browser traffic is tunneled same-origin via /monitoring; the *.sentry.io entries are a safety net. |
| *.upstash.io | Rate-limit token store (Upstash Redis). Edge-only — not loaded directly by the browser. |
Only after cookie consent (optional)
| Domain | Purpose |
|---|---|
| www.googletagmanager.com / www.google-analytics.com | Google Analytics 4 + Google Ads conversion tracking. |
| connect.facebook.net / www.facebook.com | Meta Pixel — ad conversion tracking. |
| snap.licdn.com / px.ads.linkedin.com | LinkedIn Insight Tag — ad conversion tracking. |
Server-side only (never loaded by the browser, listed for completeness): api.stripe.com (payments), api.resend.com (transactional email), api.apollo.io (contact lookups), api.search.brave.com & api.perplexity.ai (company domain inference).
For administrators who’ve blocked us
If 401kHunter is blocked on your network as “newly registered” or “uncategorized,” that’s a default policy on most corporate proxies for any new domain — not a finding about this site. We’ve submitted 401khunter.com for recategorization at Zscaler, Cisco Talos, Symantec/Broadcom, Palo Alto Networks, Forcepoint, Fortinet, BrightCloud, and McAfee/Trellix. If your team prefers to allowlist directly, the domains listed above are the complete set.
Questions or want to talk to engineering before allowlisting? Email security@401khunter.com — same-day response on business days.
Related: Privacy · Terms · Disclaimers · Contact