Security

Documentation Map

• Overview

• Quick Start

• Installation

• Configuration

• Operations

• Troubleshooting

• Release Notes

• Compatibility

• Architecture

• API Reference

• Security

• Integrations

• Capabilities

• Data Model

• Roadmap

• OSS Version Truth

• Channel: latest

• Source repo: JaddaHelpifyr/jhf-web

Security

Auth Model

• public website routes: no auth
• /api/contact: no classical API key; protected by Cloudflare Turnstile and server-side validation
• mirrored /admin/: basic auth plus IP allowlist on the nginx host
• mirrored /nginx_status: IP allowlist only
• optional outbound webhook: header token

Access Control

• public content is intentionally open
• intake must stay protected against abuse
• host-only admin and status surfaces must never be treated as public APIs

Sensitive Data Types

• contact form data:
  • name
  • email
  • company
  • interest
  • message
  • profiling/use case metadata
• operational env secrets:
  • Turnstile secret
  • optional webhook token
  • optional registry credentials

Secrets Model

Secrets must stay outside the repo and in runtime-specific secret stores:

• Cloudflare Pages secrets
• runner variables/secrets
• host environment if mirrored runtime requires them

High-Risk Surfaces

• /api/contact
• outbound webhook target configured via CONTACT_WEBHOOK_URL
• mirrored /admin/
• registry publish path in scripts/oci_image.sh

See docs/INTAKE_SECURITY_BOUNDARY.md (docs/INTAKE_SECURITY_BOUNDARY.md) for the public intake and outbound webhook boundary.

Inputs That Must Never Be Open

• admin bypass paths
• host status surfaces as public APIs
• webhook forwarding without token-based protection when used for production lead handling

Actions That Must Never Be Uncontrolled

• direct content mutation by external orchestrators
• secret rotation through repo-only automation
• blind live deploys from documentation-only changes
• direct lead record mutation by Fabric

OAuth

OAuth is not used in this repo because the main runtime is a static/public website plus a narrow serverless intake endpoint. The relevant protections here are Turnstile, host auth, and webhook token controls.

OAuth Decision Rules

OAuth becomes appropriate when:

• external users need authenticated interaction
• a multi-tenant scenario exists
• access must come from outside the platform or trusted network boundary

OAuth is not required when:

• communication is internal service-to-service
• communication is Fabric-driven without user context
• there is no user identity context to carry