Andrew Weston
Security posture
Published controls · Responsible disclosure

Security claims should be testable.

WestonHQ is deliberately small: static files at the edge, no application server, and no visitor data collection. The controls below are served with every page and can be inspected directly in the browser.

RuntimeZero third-party code or package dependencies
DataNo cookies, analytics, forms, or local storage
PolicyDefault-deny CSP with self-hosted assets only

Browser and transport controls

  • Content Security Policy starts at default-src 'none' and explicitly permits only same-origin images, styles, and scripts.
  • HSTS requires HTTPS for the apex domain and subdomains.
  • Framing is denied, MIME sniffing is disabled, and cross-origin opener and resource policies isolate the page.
  • Permissions Policy disables access to camera, microphone, geolocation, payment, USB, and other device capabilities.
  • Referrer data is limited to the origin when leaving this site.

Supply-chain and privacy posture

The production artifact is plain HTML, CSS, JavaScript, and one local image. It does not fetch fonts, embeds, analytics, tag managers, advertising, or code from third parties. There is no build dependency graph and no application database. Cloudflare Pages terminates TLS and serves the static artifact.

Report a vulnerability

Please send a concise reproduction to security@westonhq.com. Do not access other people’s data, degrade service, or use social engineering. Good-faith reports will be acknowledged and investigated. The machine-readable disclosure contact is published at /.well-known/security.txt.