This site is hand-built static HTML. There is no admin login, no database, no CMS. That removes most of the typical website attack surface — but not all. Below is what we do, what we don't yet do, and how to report something we missed.
1. What we do today
-
HTTPS-only via surge.sh
Every page on wallbedking-hk.surge.sh is served over HTTPS. HTTP requests are redirected. The TLS certificate is managed by surge.sh; we do not control its rotation but it is renewed automatically.
-
No third-party trackers active
The chat-widget JS has placeholder slots for Google Analytics 4 and Meta Pixel — but no tracking ID is currently deployed. Whenever we activate one, we update /partners.html and /privacy.html the same day.
-
EXIF metadata stripped on all images
Per /photo-policy.html: every install image has GPS, device serial, and capture timestamp removed before web upload. No customer-identifying metadata leaks via image files.
-
rel="noopener" enforced via deploy gate
Every
<a target="_blank">on the site declaresrel="noopener"to prevent tabnabbing — verified automatically by deploy step [3.897/4]. The gate fails if any new link forgets it. -
Customer data minimisation
We collect only what's needed for warranty fulfilment + statutory record-keeping. Detail at /privacy.html. Data retention: warranty expiry + 1 year, or earlier on customer request.
-
No customer data on this static site
Customer contracts, install photos awaiting consent, internal logs — none of these live on the public web. They are held offline. The only customer-sourced content on this domain is the gallery photos with signed releases.
2. What we don't yet do
-
Content Security Policy (CSP) header
surge.sh's static hosting doesn't let us set custom HTTP response headers easily. We use Tailwind CDN + Google Fonts CDN; a strict CSP would currently block them. Migration to a host that supports custom headers is on the roadmap.
-
Subresource Integrity (SRI)
Tailwind CDN and Google Fonts script tags don't currently use SRI hashes. If either CDN were compromised, content could be injected. Mitigated by the absence of customer-input fields on the site (no forms, no logins) but it's a real gap.
-
Cyber-insurance coverage
We don't carry cyber insurance — see /insurance.html for why (data minimisation reduces the dataset size to a manageable risk).
3. Responsible disclosure — how to report a bug
- Email security@wallbedking.com.hk with the subject line "SECURITY" + a one-line summary.
- Describe what you found, the URL/file, and ideally a proof-of-concept.
- We will acknowledge within 1 working day.
- We will provide a fix ETA within 5 working days. Critical issues (information disclosure of customer data, content injection) get same-day attention.
- You can request public credit when we publish the fix in the Trust Scorecard "what we got wrong" section. We will not threaten or restrict legitimate security research.
4. Out of scope
- Surge.sh platform-level vulnerabilities (report to surge.sh).
- Tailwind CDN, Google Fonts CDN — third-party services we use.
- Issues that require physical access to our showroom or office equipment.
- Social engineering of our staff.
- Volumetric attacks (DoS / DDoS) — we accept whatever surge.sh edge protection provides.
5. security.txt
The standard /.well-known/security.txt file linking to this page is on the roadmap. Until it's deployed, this page is the canonical reference and the email address above is the contact.
Found something?
Email security@. Acknowledged within 1 working day. We'll work with you, not against you.
📧 security@wallbedking.com.hk