A public summary of the controls we use to keep the website, admin workflow, and open-source delivery pipeline defensible.
Known npm vulnerabilities after production audit.
Pages Function with origin-aware CORS and optional Turnstile.
Security headers managed through Cloudflare Pages.
The public site is statically prerendered and served through Cloudflare Pages. The admin API is isolated as a server-side Pages Function.
Administrative writes are authenticated server-side before GitHub content updates are allowed.
Security reports should be sent directly to the maintainers with reproduction steps and affected URLs.