How this site is secured

A security leader's website should show its work.

Anyone can claim to take security seriously. This page lists what this site actually does: verify it yourself with any header scanner.

Strict Content Security Policy: Every resource on this site must come from this domain. No inline scripts, no inline styles, no exceptions. The default is to block everything: anything allowed is opted in explicitly.
HSTS with preload: Your browser is told to only ever talk to this site over HTTPS, for the next two years, including subdomains.
No third parties. None.: No analytics, no trackers, no CDN fonts, no external requests of any kind. The fonts are hosted here. What you do on this site stays between you and this site.
Responsible disclosure: If you find a weakness in this site, I want to know. A standard file on this domain, security.txt, tells security researchers how to reach me. Every report gets a reply.
Hardened headers: X-Content-Type-Options, Referrer-Policy, Permissions-Policy, frame-ancestors, COOP and CORP: the full set, not just the ones scanners check.
Minimal attack surface: The site is static files plus exactly one API function (the contact form), which validates input, rate-limits, and sends plain text only.