Security practices

Transport and headers

• HTTPS in production with Strict-Transport-Security (HSTS), configurable preload via env.
• Content-Security-Policy (nonce-based scripts in production), restrictive defaults, frame controls.
• Standard hardening headers: X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP.

Privacy and analytics

• Optional analytics require explicit consent; an HttpOnly cookie authorises server-side event ingest.
• Contact and ledger data are handled under the published privacy notice.

Contact and APIs

• Browser requests to sensitive POST APIs are expected from this site's origin (CSRF baseline).
• Contact submissions are validated, rate limited, size capped, and include a honeypot field.
• Admin login is rate limited; admin sessions use signed HttpOnly cookies with configurable lifetime.
• CMS publish accepts only bounded JSON payloads.

Responsible disclosure

See /.well-known/security.txt for contact details. Please allow reasonable time for triage before public discussion.

Hosting and operations

Use platform access controls (e.g. Vercel team roles), strong unique secrets in environment variables, and review dependency advisories (npm audit in CI). Edge WAF or bot filtering can be added at the provider if abuse patterns appear.