Security claims should be testable.
WestonHQ is deliberately small: static files at the edge, no application server, and no visitor data collection. The controls below are served with every page and can be inspected directly in the browser.
Browser and transport controls
- Content Security Policy starts at
default-src 'none'and explicitly permits only same-origin images, styles, and scripts. - HSTS requires HTTPS for the apex domain and subdomains.
- Framing is denied, MIME sniffing is disabled, and cross-origin opener and resource policies isolate the page.
- Permissions Policy disables access to camera, microphone, geolocation, payment, USB, and other device capabilities.
- Referrer data is limited to the origin when leaving this site.
Supply-chain and privacy posture
The production artifact is plain HTML, CSS, JavaScript, and one local image. It does not fetch fonts, embeds, analytics, tag managers, advertising, or code from third parties. There is no build dependency graph and no application database. Cloudflare Pages terminates TLS and serves the static artifact.
Report a vulnerability
Please send a concise reproduction to security@westonhq.com. Do not access other people’s data, degrade service, or use social engineering. Good-faith reports will be acknowledged and investigated. The machine-readable disclosure contact is published at /.well-known/security.txt.