Security posture
Static-site security and runtime protection criteria.
The current Altifigence public sites are static sites. They have no paid API endpoint, no login flow, no form submission, and no server-side code.
Current state
Small public surface
The deployed content is served from public/ as
static files. Pages are written in HTML and CSS. The assistant
page is a static preview and cannot call a provider or incur
provider costs.
Basic static-site headers are configured in _headers,
including content type protection, frame restrictions, a referrer
policy, a permissions policy, and a restrictive content security
policy.
Future plan
Controls required before any paid runtime
Turnstile
Require bot checks before accepting assistant requests.
Pages Functions
Keep provider calls server-side with reviewed request validation.
Rate limiting
Limit misuse by IP, session, route, and request volume.
AI Gateway
Route provider traffic through Cloudflare controls and observability.
Budget guards
Set daily and monthly limits before any paid provider traffic is enabled.
Secret handling
Store runtime secrets only in Cloudflare settings, never in the repository.
Disclosure
Report security issues privately.
Do not file public issues for security findings. Use the organization security policy for affected repositories, or email [email protected].
Public issues are appropriate for documentation bugs, broken links, accessibility problems, and ordinary website defects.