Intentionally minimal attack surface.

This endpoint is intentionally static and tightly scoped. It serves no third-party scripts, trackers, forms, or embeds, and applies restrictive security headers at the edge.

• HTTPS-only with long-lived HSTS
• Default-deny CSP with framing blocked
• No client-side JavaScript execution
• No mixed content, no cross-origin embedding