# ClimbType Security Notes ## Current MVP posture ClimbType is designed as a privacy-light static web app. - No account system - No password storage - No database requirement - No server-side storage of quiz answers or results - Quiz scoring runs in the browser - Result sharing uses a URL hash such as `#result=L10.A4...` - Locale/progress/unlock preferences may be stored in `localStorage` ## What is intentionally not protected yet The current rewarded-ad unlock flow is a lightweight MVP gate. - Full-result access can be reached with `?full=1`. - This is acceptable for early validation because the product is a shareable personality test, not a paid account/product entitlement. - If abuse matters later, add a serverless unlock token flow using Cloudflare Worker + KV/Durable Object or a backend session store. ## Recommended deployment Prefer static hosting over exposing the Node dev server. Good MVP options: - Cloudflare Pages - Vercel - Netlify Required deployment defaults: - HTTPS only - Static asset hosting - Security headers enabled via `_headers`, `vercel.json`, or host settings - No secrets committed to the repository ## Security headers The project includes: - `_headers` for Cloudflare Pages / Netlify style static hosting - `vercel.json` for Vercel - local `server.js` header support for previewing similar behavior The Content Security Policy is intentionally compatible with Google AdSense. Tighten it later if the ad stack changes. ## Data minimization Do not collect quiz answers or result data unless there is a clear product reason. If analytics, ad personalization, payment, email collection, or login is added, update: - `PRIVACY.md` - site footer/policy links - consent/cookie notice as required by target regions ## Future hardening roadmap 1. Deploy as static site behind Cloudflare/Vercel/Netlify. 2. Add production domain to AdSense and configure Offerwall. 3. Add uptime/404 monitoring. 4. Add Cloudflare Turnstile only if spam/abuse appears. 5. Add serverless unlock token verification only if `?full=1` bypass becomes a real revenue problem. 6. Add a formal vulnerability disclosure contact before public scale.