Security

Static public baseline

PainMap is a public static research site with read-only data exports. It has no accounts, payments, health-data submissions, or writable public API.

CSP

Content Security Policy

Default source is self. Scripts are self-hosted, with D3 and TopoJSON vendored locally. Runtime data fetches are limited to documented public source domains in the third-party fetch matrix.

referrer

Referrer policy

strict-origin-when-cross-origin is declared in HTML and in deployable header configuration.

nosniff

Static headers

_headers and vercel.json include X-Content-Type-Options, Permissions-Policy, frame restrictions, and the CSP baseline.

SRI

Subresource integrity

Primary stylesheet, homepage module script, and local vendor scripts carry integrity hashes verified by the static release check.

Reports

Security contact

Email security@painmap.org for confidential vulnerability reports. Use the public project issue tracker for corrections, broken data links, and reports that do not require confidential handling. Do not submit personal health data.

Open security.txt Contact policy