Contact: mailto:security@newhamburglive.ca
Contact: https://www.newhamburglive.ca/pages/contact/
Expires: 2026-12-28T23:59:00.000Z
Preferred-Languages: en, fr
Canonical: https://www.newhamburglive.ca/.well-known/security.txt

# Security Policy for New Hamburg LIVE!
# This file provides information about reporting security vulnerabilities
#
# KEY POLICIES:
# - Do not publish/disclose vulnerabilities publicly before we respond
# - Allow reasonable time for patches (30 days minimum)
# - Security issues should be reported privately to security@newhamburg.live
# - This is a static HTML/CSS/JavaScript site with no backend infrastructure
#
# SECURITY MEASURES IN PLACE:
# - All external iframes have sandbox attributes (allow-same-origin, allow-popups for Waze, allow-scripts for internal)
# - Content Security Policy headers restrict script/resource loading
# - API calls use HTTPS only (TLS 1.2+, OCSP stapling)
# - HSTS header enforced (1 year with subdomains)
# - X-Frame-Options: SAMEORIGIN (clickjacking prevention)
# - X-Content-Type-Options: nosniff (MIME sniffing prevention)
# - No sensitive data stored in localStorage or sessionStorage
# - CORS-protected API endpoints (Environment Canada, Open-Meteo, IESO, etc.)
# - Referrer policy set to strict-origin-when-cross-origin
# - No embedded secrets or API keys in client-side code
# - Service Worker for offline functionality with secure caching
# - Input validation and sanitization on all API responses
# - External links have rel="noopener noreferrer" for security
#
# KNOWN LIMITATIONS:
# - Waze embed is third-party; follow Waze's security practices
# - Weather data from Open-Meteo (https://open-meteo.com/privacy)
# - Rail crossing sensors use local IoT devices (not internet-exposed)
# - Civic reports and story submissions require backend moderation (currently placeholder)
# - Scanner feeds require responsible use by viewers (public information only)
#
# BROWSERS & COMPATIBILITY:
# - Tested on Chrome 90+, Firefox 88+, Safari 14+, Edge 90+
# - Mobile-responsive design; works on iOS 12+ and Android 8+
#
# ATTRIBUTION & THIRD-PARTY DATA:
# See /pages/how-it-works/ for complete list of data sources
# All APIs provide attribution-required data; full credits given on dashboard