~/architecture

How this site works

A security-focused site should be able to explain itself. This page documents the stack, the delivery pipeline, and every security header this site serves — all of it verifiable against the source.

Stack

Delivery

The pipeline is deliberately short: a push to GitHub triggers a Cloudflare Pages build, and the static output is replicated to Cloudflare's edge. There is no origin server to keep patched.

Security headers

Every response carries this header set, configured in public/_headers and applied by Cloudflare Pages at the edge:

Security headers served on every response, mirroring public/_headers: header name, value, and purpose.
Header Value Why
Strict-Transport-Security max-age=31536000; includeSubDomains; preload Browsers connect over HTTPS only for a year, subdomains included; eligible for the preload list.
Content-Security-Policy default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; upgrade-insecure-requests Everything is denied by default; only same-origin scripts, styles, images, fonts, and connections are allowlisted.
X-Content-Type-Options nosniff Stops browsers from MIME-sniffing responses into executable content types.
X-Frame-Options DENY Legacy clickjacking defense for browsers that don't enforce frame-ancestors.
Referrer-Policy strict-origin-when-cross-origin Cross-origin requests receive the origin only — full URLs never leak to other sites.
Permissions-Policy accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=() Opts the site out of powerful browser APIs it never uses.
Cross-Origin-Opener-Policy same-origin Severs window references from cross-origin openers, isolating the browsing context.
Cross-Origin-Resource-Policy same-origin Prevents other origins from embedding this site's resources in their pages.
X-XSS-Protection 0 Explicitly disables the legacy XSS auditor, which introduced bugs of its own; the CSP covers this ground.

The CSP is built on an allowlist model: default-src 'none' denies every resource type outright, then individual directives grant back only what the site actually uses — same-origin scripts, styles, images, fonts, and connections, nothing else. A blocklist has to anticipate attacks; an allowlist only has to describe the site.

That model holds because nothing here needs inline code. Astro is configured with inlineStylesheets: 'never' so all CSS ships as external files, and the few scripts are bundled into external files as well — which means script-src 'self' and style-src 'self' work without 'unsafe-inline'. Even if an injection bug existed, injected inline script would not execute.

frame-ancestors 'none' (with X-Frame-Options: DENY as the legacy fallback) means no other site can embed this one in a frame, and HSTS with preload keeps every visit on HTTPS from the very first request.

One honest caveat: these headers are applied by Cloudflare Pages at the edge. Running npm run preview locally serves the same HTML without them — the policy only exists on the deployed site.

Privacy & performance

Static HTML with no backend means there is nothing to track you with: no cookies, no analytics, no trackers, and no requests to any third-party origin. Reading this site tells no one anything.

It is also why the site is fast. Build assets under /_astro/ carry a content hash in their filename, so they are served with Cache-Control: public, max-age=31536000, immutable — cached for a year and never revalidated. When a file changes, its hash changes, and the browser fetches the new URL.