Security Policy

Technical hardening details and security posture of this site

Security is part of the build โ€” not an afterthought. This page documents the specific controls in place on this site.

01 Transport Security

  • TLS only โ€” only current, secure protocol versions are permitted.
  • HSTS โ€” Strict-Transport-Security is sent on every HTTPS response. Browsers will refuse plain HTTP.
  • HTTP โ†’ HTTPS redirect โ€” all port-80 traffic receives a 301 redirect to the HTTPS equivalent.
  • Certificate: Let's Encrypt โ€” auto-renewed, with zero-downtime reload on renewal.

02 HTTP Security Headers

Header Purpose
Content-Security-Policy Restricts script/style/media origins; blocks XSS vectors
Strict-Transport-Security Forces HTTPS
X-Frame-Options Prevents clickjacking via iframe embedding
Permissions-Policy Disables browser APIs unused by this site
X-Content-Type-Options Prevents MIME-type sniffing attacks
Referrer-Policy Limits referrer leakage to external sites

03 Application Layer

  • Web framework โ€” CSRF protection is enforced on all POST endpoints.
  • CSRF protection โ€” every form submission is validated against a server-generated token.
  • Parameterised queries only โ€” no raw SQL; injection is prevented at the data layer.
  • Input validation โ€” all form input validated server-side before persistence.
  • Debug mode off in production โ€” stack traces are never exposed to end users.
  • Secret key โ€” stored as an environment variable; not present in the codebase or version history.
  • Admin access โ€” administrative interfaces are restricted and not publicly advertised.

04 Infrastructure

  • Server: Linux VPS with automatic security patching enabled.
  • Process: Application server runs as a non-root user with resource limits.
  • Static files: Served directly by the web server โ€” the application layer never handles static asset requests.
  • Logs: Access logs rotated regularly; error logs monitored for anomalies.
  • Firewall: Network access is restricted to necessary services only.

05 Dependency Management

  • Dependencies are pinned, version-controlled, and periodically reviewed against known CVE databases.
  • No client-side JavaScript from CDNs โ€” all JS is self-hosted and served from the same origin.
  • Third-party scripts: Google Analytics only โ€” loaded with defer and covered by the CSP.

06 Reporting a Vulnerability

If you find a security issue on this site, please report it responsibly. See the Responsible Disclosure page for the process.

Privacy Policy โ†’ Responsible Disclosure โ†’