How this site is secured.
I assess other people's systems for a living, so it would be hypocritical not to hold my own to the same standard. This is the threat model and the controls behind this site — documented openly, because a security posture you can't explain isn't one. Verify any of it yourself with the links at the bottom.
Design principles
Minimise the attack surface
The entire site is statically rendered — no application server, no database, no user accounts, no input handling. There is simply very little to attack: no injection surface, no auth to bypass, no server to compromise.
Defence in depth
Even with a small surface, controls are layered — transport security, a strict content-security policy, framing and MIME protections, and CA-issuance restrictions — so no single failure is catastrophic.
Privacy by default
No cookies, no advertising or social trackers, no cross-site fingerprinting. Analytics are cookieless and aggregate. The interactive tools run entirely in your browser — nothing you enter is sent or stored.
Least privilege & no secrets in the client
There are no API keys, tokens, or secrets in the shipped code — there's nothing client-side worth stealing. The deploy pipeline holds only what it needs and nothing it doesn't.
Threat model
The assets worth protecting on a site like this, the realistic threats to each, and how they're mitigated.
| Asset | Threat | Mitigation |
|---|---|---|
| Content integrity | Defacement, script injection, tampering | Static hosting on an immutable build; strict CSP (default-src 'self', no remote script origins); X-Content-Type-Options: nosniff. |
| Visitor session | Clickjacking, UI redress, framing | X-Frame-Options: DENY and CSP frame-ancestors 'none' — the site cannot be embedded in a hostile frame. |
| Transport | Interception, TLS downgrade | HTTPS-only with Strict-Transport-Security (2-year max-age, includeSubDomains, preload). Plaintext is never an option. |
| Visitor privacy | Tracking, data harvesting, fingerprinting | No cookies, no third-party trackers; cookieless aggregate analytics; tools compute results locally with zero data exfiltration. |
| Supply chain | Compromised dependency / CDN | No runtime npm dependencies — the interactive code is dependency-free vanilla JavaScript. External origins are restricted by CSP to a fonts provider only. |
| Domain & DNS | Hijack, rogue certificate issuance | DNS managed on the hosting platform; CAA records restrict which Certificate Authorities may issue for the domain. |
| Availability | DoS, regional outage | Served from a global edge CDN with platform-level DDoS mitigation and multi-region delivery. |
Controls in place
Transport & network
- HTTPS everywhere with HSTS —
max-age=63072000; includeSubDomains; preload, andupgrade-insecure-requestsin the CSP. - Global edge delivery with platform DDoS protection; automatic TLS certificate management.
- CAA records constrain certificate issuance to trusted CAs only.
HTTP response headers
- Content-Security-Policy —
default-src 'self', scripts/styles same-origin, framing denied, objects blocked, mixed content upgraded. - X-Frame-Options: DENY · X-Content-Type-Options: nosniff · Referrer-Policy: strict-origin-when-cross-origin.
- Permissions-Policy disables camera, microphone, geolocation, payment and USB by default.
- Cross-Origin-Opener-Policy: same-origin for origin isolation.
Application surface
- Fully static — no server-side execution, database, or authentication, so entire vulnerability classes (SQLi, SSRF, auth bypass, IDOR) simply don't exist here.
- No client-side secrets — nothing sensitive ships in the bundle; there is no token to leak.
- Safe DOM handling in the interactive tools — user-influenced values are written as text, never as markup, so there is no DOM-XSS path.
Privacy & data handling
- No cookies and no third-party trackers. Analytics are cookieless and aggregate — no personal data, no cross-site identity.
- Client-side tools. The IAM Maturity Index and Zero-Trust simulator run entirely in your browser; responses are never transmitted or retained. Shareable results are encoded only in the link you choose to copy.
Responsible disclosure
Found something? I'd genuinely like to know. There's a machine-readable contact at /.well-known/security.txt (RFC 9116), or email adi.shah08@gmail.com. Good-faith research is welcome and appreciated.
Verify it yourself
Don't take my word for it — a security claim you can't independently check is just marketing. Run the scans:
This is, deliberately, the kind of artefact I'd want to see from any vendor handling my data — a clear threat model, named controls, and an open invitation to verify. If your organisation can't produce one for its crown-jewel systems, that's a conversation worth having.