Grokking Access the Master Compendium

Security

Security overview

This starter uses a static-first architecture, minimal JavaScript, host-level security headers, and basic client-side input validation to reduce common attack surface.

Baseline controls

  • Static HTML where possible to reduce runtime attack surface.
  • No third-party scripts by default; analytics is opt-in and event-only.
  • Security headers configured in public/_headers (CSP, HSTS, frame options).
  • Honeypot and email validation on the capture form.
  • No reflection of user input into rendered page output.

Data handling

  • Emails are posted only to the endpoint you configure via PUBLIC_EMAIL_CAPTURE_ENDPOINT.
  • Analytics payloads contain only event name, label, and path.

Recommended next steps

  • Add server-side validation if you introduce a backend endpoint.
  • Run dependency and SCA audits in CI.
  • Use CSP nonces or hashes if you add more inline scripts.
  • Enable TLS-only origins and enforce HTTPS redirects at your host.