Colophon

A portfolio should be a work sample, not just a brochure. This page documents how this site is engineered — the stack, the security posture, and the decisions behind them — the same way I'd document any production system.

Stack
FrameworkNext.js (App Router, static generation where possible)
UIReact 19, TypeScript, Tailwind CSS v4
PWASerwist service worker, installable on iOS
DataSupabase (Postgres + storage), Resend for transactional email
InfraVercel, with CI running lint, typecheck, and build on every push
FontsInter and JetBrains Mono, self-hosted via next/font — no third-party font requests
Security posture

A personal site is a small attack surface, but it handles real user input (the contact form) and gates a private area, so it gets treated like a real system:

Content Security Policy on every route

A single site-wide CSP locks scripts, styles, frames, and connections to an explicit allowlist (self, Supabase for media, YouTube for embeds). object-src is none, base-uri and form-action are restricted to self, and frame-ancestors is none.

Strict transport and header hygiene

HSTS with a two-year max-age, includeSubDomains, and preload. X-Content-Type-Options: nosniff, X-Frame-Options: DENY, a locked-down Permissions-Policy (no camera, microphone, or geolocation), and the X-Powered-By header removed.

Contact form: defense in depth

Submissions pass through schema validation (Zod), a honeypot field that silently accepts and discards bot traffic, per-IP rate limiting, and HTML escaping before any value is interpolated into the notification email. Failures return generic errors — no stack traces or internals leak to the client.

Private area behind edge auth

The private dashboard is gated by an HMAC-SHA256-signed session cookie verified in the edge proxy via the Web Crypto API before any page or API route is reached. Unauthenticated requests never touch application code.

Coordinated disclosure

A security.txt lives at /.well-known/security.txt. If you find something, I want to hear about it.

Performance

Every public page is statically generated at build time and served from the edge. There is no client-side data fetching on the public site, no analytics script, no third-party JavaScript at all — the CSP enforces that last claim rather than just promising it. Images go through next/image with explicit sizes; fonts are self-hosted and subset.

Found a vulnerability? See security.txt or use the contact form.