Security Awareness

I built this page to challenge myself to learn and apply real security practices. I’m not a security guru (yet!), but I care about doing things right. Below is what I researched and put in place myself.

  • HTTPS Enforcement & HSTS: All requests are redirected to HTTPS, and HSTS headers ensure browsers only use secure connections.
  • Secure HTTP Headers:
    • Content-Security-Policy (CSP): Restricts sources for scripts, styles, images, and more.
    • X-Content-Type-Options: Prevents MIME type sniffing.
    • X-Frame-Options: Prevents clickjacking by denying framing.
    • Referrer-Policy: Limits referrer information sent to other sites.
    • Permissions-Policy: Disables camera, microphone, and geolocation access.
    • Object-Source: Disables Flash and other plugins for enhanced security.
  • Minimal User Input: I avoid unnecessary form handling and keep the public surface area of the site small.
  • Direct Contact Channels: Contact is handled through direct links like email and LinkedIn instead of storing form submissions on the server.
  • security.txt: A /.well-known/security.txt file provides a clear vulnerability disclosure policy.
  • Minimal Attack Surface: Unused or test API routes are removed from production.
  • Environment File Protection: .env and sensitive files are excluded from version control via .gitignore.

Keeping up

I’m keeping an eye on how my site is doing by checking out the reports from Mozilla Observatory, securityheaders.com, and Google Lighthouse every now and then.

Found a Security Issue?

If you spot a vulnerability or something that looks off, please check out security.txt for how to get in touch. I appreciate responsible disclosure and am always open to learning from others!