Security
IntoBadminton v1 is a static Next.js export with no production database, no server-side account system, and no payment flow. That reduces attack surface, but it does not remove security obligations.
Current controls
- Non-essential analytics and ads are off by default.
- AdSense is disabled unless a compliant deployment mode is set.
- Review drafts stay local until a moderated backend exists.
- Source evidence avoids copied third-party review text.
Hosting requirements
Configure security headers at the host or CDN layer: Content Security Policy, Referrer-Policy, X-Content-Type-Options, Permissions-Policy, and HTTPS/HSTS where supported. GitHub Pages alone has limited header control, so use Cloudflare or Firebase Hosting when enforcing headers.
Report a vulnerability
Replace the placeholder contact in /.well-known/security.txt before launch. Do not submit real user data in vulnerability reports.