Back to Home

Security

Last updated: 2026-02-19

Our Security Approach

Security is not an afterthought — it is the foundation of everything we build. As a cybersecurity professional with 12+ years of experience in application security, penetration testing, and security architecture, I apply the same standards to my own infrastructure that I recommend to clients.

This page documents the technical and organizational measures we implement to protect your data.

Secure Development Lifecycle

This website is developed following secure development practices at every stage. As a recognized conference speaker on Secure SDLC and DevSecOps (with talks at DUMP, Payment Security, CodeFest, and other conferences), and author of a DevSecOps course, I ensure these practices are actively implemented — not just theoretical.

PhasePracticeDetail
RequirementsSecurity requirements gatheringPrivacy by design requirements defined before development (GDPR Article 25)
DesignThreat modelingArchitecture reviewed against OWASP Top 10, serverless-specific threats, and data flow analysis
DevelopmentSecure codingServer-side input validation, output encoding, parameterized database queries
DevelopmentDependency managementMinimal dependency footprint — zero npm runtime dependencies in Worker
DevelopmentCode reviewAll code reviewed before deployment
TestingSecurity testingAnti-bot bypass testing, rate limit validation, CORS verification, input fuzzing
TestingSource analysisSource code analyzed for injection patterns, unsafe functions, secret leakage
DeploymentImmutable deploymentsEach deploy is an atomic snapshot — no in-place modifications
DeploymentConfiguration securitySecrets stored in encrypted environment, never in code or version control
OperationsSecurity headersConfigured via infrastructure provider (Cloudflare) — attack surface for header manipulation is minimal in serverless architecture
OperationsMonitoringCloudflare Dashboard analytics (traffic patterns, error rates, threat intelligence), Umami analytics (visitor anomalies), Telegram real-time alerts on every form submission
MaintenanceVulnerability responsesecurity.txt published, dedicated security report form

Architecture & Attack Surface

We employ a serverless architecture that eliminates traditional server-side attack vectors.

  • No servers — static site on Cloudflare Pages, backend on Cloudflare Workers
  • No SSH/RDP — no remote access to servers (there are none)
  • No OS-level patching — no operating system to maintain or patch
  • Stateless edge compute — Workers are stateless, data stored only in D1
  • Immutable deployments — each deploy is a new snapshot

Infrastructure Partner Certifications

Core infrastructure is delegated to Cloudflare, Inc., a provider with extensive security certifications. This minimizes our attack surface while leveraging enterprise-grade security controls.

CertificationDescription
ISO 27001:2022Information Security Management System
ISO 27701:2019Privacy Information Management (PIMS)
ISO 27018:2019PII protection in public clouds
SOC 2 Type IISecurity, Confidentiality, Availability audit
PCI DSS Level 1Payment card data protection (highest tier)
C5:2020 (BSI)German Cloud Computing Compliance Criteria
EU-US Data Privacy FrameworkLegal mechanism for US data transfers
EU Cloud Code of ConductEuropean cloud security principles

Cloudflare's Data Processing Addendum (DPA) applies to all accounts and covers EU Standard Contractual Clauses. D1 database operates with EU jurisdiction — data physically resides in the European Union.

Technical Measures

We implement defense-in-depth measures proportionate to the data we process.

LayerMeasureDetail
TransportTLS 1.3All connections encrypted, HSTS enabled
StorageIP hashingSHA-256 with unique salt, non-reversible
Anti-botHMAC tokensSingle-use, time-limited form tokens
Rate limitingPer-IP hashAdaptive rate limits configured per endpoint and globally, calibrated for security and business requirements
Input validationServer-sideStrict sanitization, length limits, type checks
HoneypotHidden fieldSilent spam detection
HeadersSecurity headersManaged by Cloudflare infrastructure — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy. Serverless architecture eliminates risks of misconfigured application servers.
AnalyticsPrivacy-firstNo cookies, no PII, fully anonymized
Data residencyEU jurisdictionCloudflare D1 with EU data location

Organizational Measures

Access to personal data and infrastructure is strictly limited.

  • Single operator — only the site owner has access to Cloudflare Dashboard, D1 database, and Worker secrets
  • Multi-factor authentication (MFA) enabled on all infrastructure accounts
  • No shared credentials — all secrets stored in Cloudflare encrypted environment
  • No third-party access to infrastructure
  • Private version control — source code in private Git repository
  • Zero standing access — no persistent connections to data stores

Compliance Alignment

Our security practices are aligned with ISO 27001 control objectives. We have not pursued formal certification but maintain documented implementation of applicable controls.

DomainNameStatus
A.5Information security policiesDocumented security approach (this page)
A.6Organization of information securitySingle operator, clear responsibilities
A.8Asset managementInventory of data assets maintained (ROPA)
A.9Access controlMFA, single operator, no shared credentials
A.10CryptographyTLS 1.3, SHA-256 hashing with salt
A.12Operations securityImmutable deployments, monitoring
A.13Communications securityAll transit encrypted, CORS, origin validation
A.14System developmentSecure SDLC practices (see above)
A.16Incident managementDocumented incident response plan maintained
A.17Business continuityDocumented business continuity plan maintained
A.18ComplianceGDPR compliance documented, ROPA maintained

We also maintain documented Incident Response and Business Continuity plans. Records of Processing Activities (ROPA) are maintained in accordance with GDPR Article 30.

Incident Response

We maintain a documented incident response procedure aligned with GDPR Articles 33-34. The plan covers detection, containment, assessment, notification (supervisory authority within 72 hours, data subjects when required), remediation, and post-incident review.

Responsible Disclosure

We welcome security reports from researchers and the public.

  • security.txt — Machine-readable security contact file (RFC 9116)
  • PGP Key — Encrypt your report for confidential submission
  • Report Form — Submit a security report directly through our website

Report a Security Issue

If you've found a vulnerability or security concern related to this website, please let us know. We take all reports seriously and will respond within 5 business days.

For confidential submissions, you may encrypt your message using our PGP public key:

Show PGP Public Key
-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaZZoOBYJKwYBBAHaRw8BAQdAr+Q1grRc3ODx41GeMku6tAS651k0rPxBFWxB
yPTCl6G0G1ZhY2xhdiBEb3ZuYXIgKHZhY2xhdi50ZWNoKYiZBBMWCgBBFiEE0V5r
QIo3vbMRhvk1tram9jrVSIAFAmmWaDgCGwMFCRLMAwAFCwkIBwICIgIGFQoJCAsC
BBYCAwECHgcCF4AACgkQtram9jrVSIB2iAEA+6YWmvf+Qs03CZTcHmvLp16kV7PJ
ISP0y7lsmxx6dfUA/Rw88qzEPRLqYNAkYtDHHc6WYNWkq0FWCkRAp1fElpQOuDgE
aZZoOBIKKwYBBAGXVQEFAQEHQBM5ZJ8XjIiYdmzWq3TvEHkDG2s15JLA/RI3Sz7h
1y4jAwEIB4h+BBgWCgAmFiEE0V5rQIo3vbMRhvk1tram9jrVSIAFAmmWaDgCGwwF
CRLMAwAACgkQtram9jrVSICiEgD9GnswZyVAs/ZUiVtrMIZ4uLf3qlzrZ5Q8YdVw
aumPpoEA/2d8f2wAOxAPRjar8DEK0Z+etYVcpyPmXi6IMhBZKVIK
=kII2
-----END PGP PUBLIC KEY BLOCK-----

Do not include exploit code, proof-of-concept scripts, or credentials in this form. If we need technical details, we will request them securely via email.

Rate limits are configured based on security requirements and business needs to prevent abuse.

This form collects the minimum data necessary to process your security report. Your name is optional. Report data is retained until the issue is resolved and deleted within 90 days of closure.