A+ Security Headers. Yes, Really.

NewTon DC Tournament Manager v4.2.13 — March 20, 2026

Download v4.2.13

Overview

NewTon DC Tournament Manager Version 4.2.13 achieves an A+ security rating on SecurityHeaders.com for the landing page and all documentation pages by eliminating every inline script and style. The Tournament Manager app and Chalker retain their A rating — unsafe-inline is an architectural requirement for offline single-file deployment. No changes to tournament functionality — this is a drop-in replacement for v4.2.12.

---

CSP Hardening

The Content-Security-Policy header is now split into two tiers:

A+ — Landing Page & Documentation

All inline JavaScript has been extracted to an external file, and all inline styles replaced with CSS classes. These pages now serve a strict CSP that blocks all inline code execution — the gold standard for XSS prevention.

• Landing page (landing.html, landing-page.php)
• User Guide, Privacy, Architecture & Reliability, Docker Quick Start, REST API
• All release notes (releases/*.html)

A — Tournament Manager & Chalker

The Tournament Manager contains 93+ inline event handlers and 266+ inline style attributes — an architectural requirement for single-file offline deployment. The Chalker app has a similar architecture. Both retain 'unsafe-inline' in their CSP and grade A on SecurityHeaders.com. External resource loading remains fully blocked (script-src 'self'), preventing the primary XSS attack vector.

---

Lightbox Extraction

The lightbox functionality has been moved from inline code to an external file (js/lightbox.js):

• Showcase images — onclick="openLightbox(...)" replaced with data-full="..." attribute; JS reads data-full and existing alt text
• Lightbox markup — onclick handlers removed from backdrop, content div, and close button
• Logo fallback — onerror="..." handler replaced with addEventListener in js/lightbox.js
• Inline script block — replaced with <script src="js/lightbox.js"></script>

---

Footer Style

The inline style="color: #a89080;" on the "No popups? No cookies!" footer text has been replaced with class="footer-cheeky" across all pages: landing page, all doc pages, and all 14 release notes pages.

---

Landing Page Routing

The landing page has been fully decoupled from tournament.html:

• tournament.html — PHP landing page switcher removed. Now a pure tournament app file.
• landing-page.php — Now the Docker entry point. If NEWTON_LANDING_PAGE=true, renders the landing page. If the env var is not set, issues a 302 redirect to /tournament.php — tournament-only deployments go straight to the app.
• /tournament.html URL — nginx rewrites to tournament.php internally. The URL stays clean and is indexable by Google.

---

Files Changed

• js/lightbox.js — New external lightbox script
• landing.html — Inline JS/styles removed, external script added
• landing-page.php — Inline JS/styles removed, redirect routing added
• tournament.html — PHP landing page switcher removed
• userguide.html — Footer inline style replaced with class
• privacy.html — Footer inline style replaced with class
• architecture.html — Footer inline style replaced with class
• docker-quickstart.html — Footer inline style replaced with class
• rest-api.html — Footer inline style replaced with class
• releases/*.html — Footer inline style replaced with class (14 files)
• docker/nginx.conf — Strict CSP default; landing-page.php location with strict CSP; /tournament.html rewrite added
• css/landing.css — Get Started card mobile breakpoint updated to 730px
• CHANGELOG.md — v4.2.13 entry added

---

Migration from v4.2.12

No migration required. Fully compatible with all existing tournaments and saved configurations.

---

NewTon DC Tournament Manager v4.2.13 — A+ where it matters. A where it must.

Download v4.2.13

---

Previous Releases

• Latest release
• v4.2.12 — March 19, 2026 — Dedicated domain: newtondarts.com.
• v4.2.11 — March 18, 2026 — Shame has never looked better.
• v4.2.10 — March 17, 2026 — Doc pages, user guide, and sitemap improvements.
• v4.2.9 — March 15, 2026 — Landing page polish.
• v4.2.8 — March 13, 2026 — Late Registration.
• v4.2.7 — March 13, 2026 — Sitemap, font loading fix, and Get Started section.
• v4.2.6 — March 12, 2026 — Undo system bug fix, Late Registration eligibility checker, and robots.txt.
• v4.2.5 — March 11, 2026 — Landing page improvements and a Bracket Editor placeholder in the Developer Console.
• v4.2.4 — March 10, 2026 — Proper Single Elimination match length configuration and colour-coded Chalker leg averages.
• v4.2.3 — March 10, 2026 — Landing page redesign with retro comic theme by Nano Banana.
• v4.2.2 — March 9, 2026 — Landing page fix, cleaner card layout.
• v4.2.1 — March 8, 2026 — Cleaner cards, clearer brackets, better discoverability.
• v4.2.0 — March 3, 2026 — Single Elimination: one shot, no second chances.

For older releases, see the GitHub releases page.