/security
How we handle security and vulnerability reports. This page summarises our approach and where to find more.
Reporting a vulnerability
If you find a security issue, please report it responsibly. Do not open a public issue. Use the contact channel below or the security.txt file. We will acknowledge and work on a fix as soon as we can.
Researchers can also use the standard /.well-known/security.txt file for contact and policy.
Security highlights
Form submissions (contact) are protected by Cloudflare Turnstile and rate limiting; we do not store form content beyond what is needed to handle your request.
We send security headers (CSP, X-Frame-Options, X-Content-Type-Options, HSTS in production) to reduce clickjacking, MIME sniffing, and to enforce HTTPS.
Secrets and API keys are never committed; they live in environment variables and are not exposed to the client.
For data we collect and how long we keep it, see the Privacy Policy. Privacy.