~/architecture
How this site works
A security-focused site should be able to explain itself. This page documents the stack, the delivery pipeline, and every security header this site serves — all of it verifiable against the source.
Stack
-
Astro 5, static output
Every page is prerendered to plain HTML at build time. There is no server, no runtime, no rendering on request — the deploy artifact is a folder of files.
-
TypeScript, strict
The project extends Astro's strict tsconfig, and
astro checktype-checks every page and component, including the script blocks. -
Tailwind CSS 4
Styling via the Tailwind Vite plugin, with the design tokens (colors, fonts) defined once in a single global stylesheet.
-
Content collections
Projects, writeups, and lab notes are Markdown/MDX files in typed content collections — frontmatter is validated by schema at build time, so a malformed entry fails the build instead of shipping.
-
Zero client JS by default
Pages ship no JavaScript. The only scripts on the whole site are the mobile nav toggle and the interactive tools pages, bundled by Astro into external files.
-
No external requests
System font stack, no CDN scripts, no remote images, no third-party anything. Every byte the browser loads comes from this origin.
Delivery
The pipeline is deliberately short: a push to GitHub triggers a Cloudflare Pages build, and the static output is replicated to Cloudflare's edge. There is no origin server to keep patched.
git push (local machine)
│
▼
GitHub repository
│ push triggers a deploy
▼
Cloudflare Pages build
│ npm run build ──▶ dist/ (prerendered HTML, CSS, JS)
▼
Cloudflare global edge network
│ HTTPS
▼
browser Security headers
Every response carries this header set, configured in
public/_headers and applied by Cloudflare
Pages at the edge:
| Header | Value | Why |
|---|---|---|
| Strict-Transport-Security | max-age=31536000; includeSubDomains; preload | Browsers connect over HTTPS only for a year, subdomains included; eligible for the preload list. |
| Content-Security-Policy | default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'none'; form-action 'self'; upgrade-insecure-requests | Everything is denied by default; only same-origin scripts, styles, images, fonts, and connections are allowlisted. |
| X-Content-Type-Options | nosniff | Stops browsers from MIME-sniffing responses into executable content types. |
| X-Frame-Options | DENY | Legacy clickjacking defense for browsers that don't enforce frame-ancestors. |
| Referrer-Policy | strict-origin-when-cross-origin | Cross-origin requests receive the origin only — full URLs never leak to other sites. |
| Permissions-Policy | accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=() | Opts the site out of powerful browser APIs it never uses. |
| Cross-Origin-Opener-Policy | same-origin | Severs window references from cross-origin openers, isolating the browsing context. |
| Cross-Origin-Resource-Policy | same-origin | Prevents other origins from embedding this site's resources in their pages. |
| X-XSS-Protection | 0 | Explicitly disables the legacy XSS auditor, which introduced bugs of its own; the CSP covers this ground. |
The CSP is built on an allowlist model:
default-src 'none' denies every resource
type outright, then individual directives grant back only what the
site actually uses — same-origin scripts, styles, images, fonts, and
connections, nothing else. A blocklist has to anticipate attacks; an
allowlist only has to describe the site.
That model holds because nothing here needs inline code. Astro is
configured with inlineStylesheets: 'never'
so all CSS ships as external files, and the few scripts are bundled
into external files as well — which means
script-src 'self' and
style-src 'self' work without
'unsafe-inline'. Even if an injection
bug existed, injected inline script would not execute.
frame-ancestors 'none' (with
X-Frame-Options: DENY as the legacy
fallback) means no other site can embed this one in a frame, and HSTS
with preload keeps every visit on HTTPS
from the very first request.
One honest caveat: these headers are applied by Cloudflare Pages at
the edge. Running npm run preview locally
serves the same HTML without them — the policy only exists on the
deployed site.
Privacy & performance
Static HTML with no backend means there is nothing to track you with: no cookies, no analytics, no trackers, and no requests to any third-party origin. Reading this site tells no one anything.
It is also why the site is fast. Build assets under
/_astro/ carry a content hash in their
filename, so they are served with
Cache-Control: public, max-age=31536000,
immutable — cached for a year and never revalidated. When a file
changes, its hash changes, and the browser fetches the new URL.