If you discover a security vulnerability in this project, please report it by:

1. DO NOT open a public issue
2. Email the maintainer directly or use GitHub's private vulnerability reporting

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact
• Suggested fix (if any)

• You can expect an initial response within 48 hours
• We will work to address critical vulnerabilities as quickly as possible
• You will be kept informed of progress throughout the resolution process

• Dependencies are regularly updated using Dependabot
• Security audits are run via npm audit
• Critical vulnerabilities are addressed immediately

This project implements a Content Security Policy configured in:

• staticwebapp.config.json (production)
• vite.config.ts (development)

See .documentation/SECURITY.md for detailed CSP architecture decisions.

• This is a public portfolio site with no user authentication
• All external data is fetched from trusted sources (markhazleton.com)
• No sensitive user data is collected or stored
• API keys are managed via environment variables (never committed)

The application implements these security headers:

• X-Content-Type-Options: nosniff
• X-Frame-Options: DENY
• X-XSS-Protection: 1; mode=block
• Content-Security-Policy (see detailed configuration)

External services used by this application:

• markhazleton.com - Portfolio data backend
• OpenWeatherMap API - Weather data
• JokeAPI (v2.jokeapi.dev) - Joke content
• Azure Static Web Apps - Hosting platform

All external API calls are made over HTTPS.