Security and privacy are foundational to this project. We are committed to:

• Maintaining a secure codebase
• Responding promptly to security issues
• Protecting user privacy
• Transparency in our security practices

We recommend always using the latest version of this template for the most up-to-date security patches.

This template implements several security best practices:

• Restricts resource loading to prevent XSS attacks
• Blocks inline scripts and styles (where possible)
• Prevents data exfiltration to third parties

• No analytics or tracking
• No external dependencies that phone home
• All resources hosted locally
• No cookies or persistent storage (by default)

• Static site generation (no server vulnerabilities)
• IPFS deployment (distributed, no single point of failure)
• No reliance on centralized services

• Regular dependency audits
• Minimal dependency footprint
• Only well-maintained, audited packages

Please do not report security vulnerabilities through public GitHub issues.

We follow responsible disclosure practices. If you discover a security vulnerability:

1. Contact Information

   • Email: [INSERT SECURITY CONTACT EMAIL]
   • PGP Key: [INSERT PGP KEY ID OR LINK] (optional but recommended)
   • For anonymous reports, consider using a temporary encrypted email service

2. What to Include

   • Type of vulnerability
   • Full paths of source file(s) related to the vulnerability
   • Location of the affected source code (tag/branch/commit or direct URL)
   • Step-by-step instructions to reproduce the issue
   • Proof-of-concept or exploit code (if possible)
   • Impact assessment
   • Suggested fix (if you have one)

3. Response Timeline

   • Initial Response: Within 48 hours
   • Status Update: Within 7 days
   • Fix Timeline: Depends on severity (see below)
   • Public Disclosure: After fix is released

• Remote code execution
• Authentication bypass
• Data exfiltration vulnerabilities
• XSS that leads to account compromise

• XSS vulnerabilities
• CSRF vulnerabilities
• Privacy leaks
• Dependency vulnerabilities with known exploits

• Security misconfigurations
• Information disclosure
• Minor privacy issues

• Security improvements
• Defense-in-depth measures
• Best practice implementations

1. Keep Dependencies Updated

   npm audit
   npm update

2. Review Generated Code

   • Don't blindly trust any template
   • Audit the code before deployment
   • Understand what you're deploying

3. Secure Your Development Environment

   • Use strong authentication for git repositories
   • Protect your private keys
   • Use encrypted connections

4. IPFS Deployment Security

   • Verify content hashes match expected values
   • Pin important content to multiple nodes
   • Consider using IPNS for mutable pointers

5. Content Security

   • Never commit secrets to git
   • Use environment variables for sensitive data
   • Review .gitignore to prevent accidental exposure

1. Before Adding Dependencies

   • Check the package's reputation and maintenance status
   • Review the package's permissions and network activity
   • Verify licensing compatibility (GPL-3.0)
   • Check for known vulnerabilities: npm audit

2. Before Adding Features

   • Consider privacy implications
   • Maintain static site generation
   • Avoid server-side dependencies
   • Document security considerations

3. Testing

   • Test Content Security Policy compliance
   • Verify no external resources are loaded
   • Check for XSS vulnerabilities
   • Validate all user inputs (if applicable)

The following are considered out of scope for this template:

• Server-side security: This is a static site template
• DDoS protection: Handle at infrastructure level
• Physical security: User responsibility
• Social engineering: User awareness and training

See docs/THREAT-MODEL.md for detailed threat analysis.

When serving this site, configure your server/gateway with:

Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; form-action 'self'
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: geolocation=(), microphone=(), camera=()

• Public gateways may log access (privacy concern)
• Run your own gateway for maximum privacy
• Consider using Tor or VPN when accessing IPFS content

1. Check git tag signatures
2. Verify commit signatures from trusted maintainers
3. Compare checksums of downloaded files

Maintainer PGP keys should be published:

• On public keyservers
• In this repository (.github/KEYS file)
• On personal websites

Currently, we do not have a formal bug bounty program. However, we deeply appreciate security researchers who help keep this project secure and will publicly acknowledge contributors (with permission).

We thank the following security researchers for their responsible disclosure:

• [List will be populated as vulnerabilities are reported and fixed]

• OWASP Top 10
• Content Security Policy
• IPFS Security Considerations
• Web Application Security Testing

For non-security questions, use GitHub Issues or Discussions.

For security concerns, follow the responsible disclosure process above.

Last updated: 2025-11-12