~/projects/derekwei-xyz
derekwei.xyz — this site
This site: a fast, static Astro 5 build with a strict CSP, no cookies or trackers, and no third-party requests, deployed on Cloudflare Pages.
shipped Jul 9, 2026 astro typescript tailwind cloudflare-pages
The site you’re reading right now. It’s my portfolio, but I also treated it as a small exercise in doing the boring security work properly on something I actually ship.
Goals
- Fast. Static HTML rendered at build time, system fonts only, no client-side framework runtime. Nothing loads from anywhere but this domain.
- Accessible. Semantic landmarks, one
h1per page, a skip link, visible focus styles, and honest heading structure throughout. - Recruiter-friendly. Everything a recruiter would want — resume, certifications, projects, contact — is at most one click from the header, and the resume prints cleanly.
Stack
- Astro 5 with fully static output — pages are plain HTML with scripts only where a page genuinely needs them.
- TypeScript in strict mode, including the inline scripts Astro compiles and bundles.
- Tailwind CSS 4 with a small set of design tokens for the dark blueprint palette.
- Markdown/MDX content collections for projects, writeups, and lab notes, validated against Zod schemas at build time.
Security posture
A static portfolio doesn’t have much attack surface, which is exactly why it should get the fundamentals right:
- Strict Content Security Policy with no inline scripts — everything Astro emits is bundled to external files.
- Security headers shipped via Cloudflare Pages’
_headersfile. - No cookies, no trackers, no analytics, no third-party requests of any kind.
- System font stack only — no font CDN, no external stylesheets.
The full breakdown — headers, CSP directives, and the reasoning behind them — is on the architecture page.