Security Awareness

I built this page to challenge myself to learn and apply real security practices. I’m not a security guru (yet!), but I care about doing things right. Below is what I researched and put in place myself.

• HTTPS Enforcement & HSTS: All requests are redirected to HTTPS, and HSTS headers ensure browsers only use secure connections.
• Secure HTTP Headers:
  • Content-Security-Policy (CSP): Restricts sources for scripts, styles, images, and more. CSP violations are monitored and reviewed for security improvements.
  • X-Content-Type-Options: Prevents MIME type sniffing.
  • X-Frame-Options: Prevents clickjacking by denying framing.
  • Referrer-Policy: Limits referrer information sent to other sites.
  • Permissions-Policy: Disables camera, microphone, and geolocation access.
  • Object-Source: Disables Flash and other plugins for enhanced security.
• Input Validation & Sanitization: All user inputs (client and server) are validated and sanitized to prevent XSS and injection attacks.
• Rate Limiting: API endpoints (e.g., contact form) are rate-limited to prevent abuse and spam.
• security.txt: A /.well-known/security.txt file provides a clear vulnerability disclosure policy.
• Minimal Attack Surface: Unused or test API routes are removed from production.
• Environment File Protection: .env and sensitive files are excluded from version control via .gitignore.

Keeping up

I’m keeping an eye on how my site is doing by checking out the reports from Mozilla Observatory, securityheaders.com, and Google Lighthouse every now and then! I also keep track of reports internally.

Found a Security Issue?

If you spot a vulnerability or something that looks off, please check out security.txt for how to get in touch. I appreciate responsible disclosure and am always open to learning from others!