Security Hardening — Self-Hosted Fonts & Dependency Audit

Improved

• Self-hosted fonts — Inter and JetBrains Mono now served from /fonts/ instead of Google Fonts CDN. Eliminates external stylesheet dependency, removes Google tracking, and resolves CSP style-src violation in browser console
• Umami analytics — Privacy-focused, cookie-free analytics added to speybooks.com and docs.speybooks.com (same site ID, filterable by domain). No analytics on app.speybooks.com
• About page — Added “Defence in depth” principle card and expanded Technology section with dedicated row-level security subsection
• Changelog page — Fixed heading hierarchy (H1/H2), aligned stats bar layout, added progressive “Show more releases” button (10 entries per page)

Fixed

• CSP violation — Refused to load stylesheet fonts.googleapis.com error resolved by self-hosting fonts. Zero console errors in production
• @aws-sdk/client-ses — Updated 3.980.0 → 3.985.0, resolving fast-xml-parser RangeError DoS vulnerability (GHSA-37qj-frw5-hhjh)

Security

• Dependency audit — Reduced vulnerabilities from 5 to 4. Remaining 4 are all tied to Fastify v4→v5 major migration (post-launch backlog) or dev-only dependencies
• Security doc created — Doc with prioritised hardening checklist, threat model, and incident response plan

Known

• Fastify v4 has 2 advisories (Content-Type bypass, sendWebStream DoS) — requires v4→v5 migration, scheduled post-launch
• fast-jwt iss validation — requires @fastify/jwt upgrade tied to Fastify v5
• esbuild dev server vulnerability — dev-only, not in production