GÜVENLİK // KONTROLLER

Güvenlik Programı

Web sitesi, admin akışı ve açık kaynak teslimat hattını savunulabilir tutmak için kullandığımız kontrollerin özeti.

Dependency audit
0

Known npm vulnerabilities after production audit.

Admin session
HttpOnly

Secure SameSite cookie with no JSON session token returned.

Admin backend
Cloudflare

Pages Function with explicit origin allowlist and optional Turnstile.

Disclosure
security.txt

Security contact and policy published for researchers.

Application controls

The public site is statically prerendered and served through Cloudflare Pages. The admin API is isolated as a server-side Pages Function.

  • Content Security Policy, HSTS, and frame protection
  • Exact-origin admin API allowlist
  • No client-side GitHub token exposure

Admin hardening

Administrative writes are authenticated server-side before GitHub content updates are allowed. The browser stores only non-secret identity metadata.

  • HttpOnly Secure SameSite=Strict session cookie
  • No password or session token in browser storage
  • Constant-time credential comparison
  • Optional Turnstile verification

Vulnerability disclosure

Security reports should be sent directly to the maintainers with reproduction steps, affected URLs, impact, and any safe proof of concept.

Research rules

Good-faith research is welcome when it avoids harm to users, data, infrastructure, and service availability.

  • Do not access, modify, or exfiltrate data that is not yours
  • Do not use phishing, social engineering, spam, or denial-of-service testing
  • Use GitHub issues only for non-sensitive bugs

Out of scope

Reports need a realistic security impact. Low-risk findings without exploitability may be closed without remediation.

  • Missing best-practice headers without a working exploit
  • Scanner-only findings with no reproducible impact
  • Issues in third-party services outside Kernel Guard control