Security posture
Static site now, guarded runtime later.
The current pccxai website is a static Cloudflare Pages site. It has no paid API endpoint, no login flow, no form submission, and no server-side code.
Current state
Small public surface
The deployed content is served from public/ as
static files. Pages are written in HTML and CSS. The assistant
page is a static preview and cannot call a provider or spend
money.
Basic static-site headers are configured in _headers,
including content type protection, frame restrictions, a referrer
policy, a permissions policy, and a restrictive content security
policy.
Future plan
Controls required before any paid runtime
Turnstile
Require bot checks before accepting assistant requests.
Pages Functions
Keep provider calls server-side with reviewed request validation.
Rate limiting
Limit abuse by IP, session, route, and request volume.
AI Gateway
Route provider traffic through Cloudflare controls and observability.
Budget guards
Set daily and monthly limits before any paid provider traffic is enabled.
Secret handling
Store runtime secrets only in Cloudflare settings, never in the repository.
Disclosure
Report security issues privately.
Do not file public issues for security findings. Use the
organization security policy for affected repositories under the
pccxai organization.
Public issues are appropriate for documentation bugs, broken links, accessibility problems, and ordinary website defects.