Security.

Transport

• HTTPS only on amanoki.com and api.amanoki.com.
• HSTS max-age=31536000; includeSubDomains; preload.
• TLS terminated at Cloudflare (landing) and Fly.io (api); certificates managed by each platform.

Headers

• Content-Security-Policy: default-src 'self'; script / style / image / connect restricted; frame-ancestors 'none'.
• X-Content-Type-Options: nosniff, X-Frame-Options: DENY, Referrer-Policy: strict-origin-when-cross-origin.
• Permissions-Policy: geolocation / microphone / camera / payment all denied.

Errors

All non-success responses ship as application/problem+json (RFC 7807) with {type, title, status, detail, instance}. The type URI points at the methodology section that explains the relevant problem class.

Admin surface

Admin endpoints (e.g. /v1/admin/usage) require a bearer token (AMANOKI_METRICS_TOKEN). When the token is unset, or the bearer doesn't match, the endpoint returns 404 Not Found with no hint that the endpoint exists. Presence is not leaked.

Authentication

Public endpoints are currently callable without an API key. When paid tiers open, keys will be issued through the billing flow; rate limits and tier gating will apply. The endpoint shapes stay the same under either regime.

Data collected

• Request route, status code, and timestamp for rough usage counters (/v1/admin/usage, in-memory only, restart-cleared).
• No personally identifiable information is stored for anonymous callers.
• No request bodies, no query parameters, no user agents retained beyond the in-process counter snapshot.
• Error telemetry (Sentry) captures stack traces and HTTP status; 4xx responses are dropped before send, and per-fingerprint bursts are rate-limited.

Third parties

• Fly.io — application hosting (nrt region).
• Cloudflare Pages — static landing hosting.
• Open-Meteo — weather data input, no credentials, no PII sent.
• Sentry — error telemetry (DSN optional; disabled until configured).

Reporting

Vulnerability disclosures will open alongside the billing flow. Until then, the scope is small enough that direct inspection of the methodology is the intended audit path.