Security

Static public baseline

PainMap is a public static research site with read-only data exports. It has no accounts, payments, health-data submissions, or writable public API.

CSP

Content Security Policy

Default source is self. Scripts are limited to self and pinned jsDelivr module imports. Runtime data fetches are limited to the documented public source domains.

referrer

Referrer policy

strict-origin-when-cross-origin is declared in HTML and in deployable header configuration.

nosniff

Static headers

_headers and vercel.json include X-Content-Type-Options, Permissions-Policy, frame restrictions, and the CSP baseline.

SRI

Subresource integrity

Primary local stylesheet and homepage module script are prepared for integrity hashes as part of the static release check.

Reports

Security contact

Use the public project issue tracker for corrections, broken data links, and security reports that do not require confidential handling. Do not submit personal health data.

Open security.txt Contact policy