We take security seriously at BetterSJDM. If you discover a security vulnerability, please report it responsibly.

Do NOT open a public GitHub issue for security vulnerabilities.

Instead, please email: jeraldabihaypascual@gmail.com

Include in your report:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Suggested fix (if any)

Server Security:

• HTTPS enforced via .htaccess
• HTTP Strict Transport Security (HSTS)
• Content Security Policy (CSP) headers
• X-Frame-Options to prevent clickjacking
• X-Content-Type-Options to prevent MIME sniffing
• Referrer-Policy for privacy

Application Security:

• No user authentication or data collection
• No database or server-side processing
• Static site with client-side rendering only
• External API calls limited to weather and exchange rates
• No cookies or local storage for sensitive data

Data Security:

• All data sourced from public government portals
• No personal identifiable information (PII) stored
• No user input forms that store data

When contributing code:

1. Never commit secrets - API keys, passwords, or credentials
2. Validate inputs - Sanitize any user-facing inputs
3. Use HTTPS - All external resources must use HTTPS
4. Review dependencies - Check for known vulnerabilities
5. Follow CSP - Ensure new scripts comply with Content Security Policy

This security policy covers:

• The BetterSJDM website
• The GitHub repository
• Associated build tools and scripts

Out of scope:

• Third-party services (Google Analytics, APIs)
• User's local environment
• Social media accounts

For security concerns: jeraldabihaypascual@gmail.com

Thank you for helping keep BetterSJDM secure for the community.