Transport & headers
- HTTPS enforced in production (HSTS)
- Content Security Policy (CSP) limiting script and resource origins
- X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Permissions-Policy restricting camera, microphone and geolocation
Application protections
- CSRF protection on state-changing requests using synchronised tokens
- Input validation & sanitisation — Zod schemas plus HTML/script stripping to mitigate XSS and injection attempts
- Rate limiting on contact, login and analytics endpoints
- Origin checks on API mutations to reduce cross-site abuse
- Honeypot field on the contact form to deter bots
- Parameterized database access when Supabase is enabled (no raw SQL from user input)
Admin access
- Password verified with timing-safe comparison
- Short-lived signed JWT session cookie (HTTP-only, SameSite=Lax)
- Admin routes blocked at middleware without valid session
- Failed login attempts logged and rate limited
- Admin pages marked no-store to reduce caching of sensitive views
Data handling
Enquiry data is stored with access limited to authorised staff. We do not publish contact submissions on the public site. CMS content is validated before being written to disk or database.
Reporting issues
If you believe you have found a security vulnerability, please email [email protected] with details. Please do not publicly disclose issues until we have had a reasonable opportunity to investigate.