the posture desk
Does this site pass its own audit?
A security writer’s site should be exemplary. This page checks the live response headers of the page you are reading, in your browser, right now.
| Control | Expected | Live |
|---|---|---|
| Content-Security-Policyno inline-script holes | script-src 'self' | checking… |
| Strict-Transport-SecurityHTTPS pinned | max-age ≥ 2y | checking… |
| X-Content-Type-Optionsno MIME sniffing | nosniff | checking… |
| Referrer-Policyleak-resistant referers | strict-origin-when-cross-origin | checking… |
| Permissions-Policypowerful features denied | camera/mic/geo off | checking… |
| X-Frame-Optionsclickjacking blocked | DENY | checking… |
| /.well-known/security.txtdisclosure contact published | reachable | checking… |
Last checked — · checked in your browser, not cached.
also true of this site
- Fonts are self-hosted — no third-party request to load type.
- No analytics, no trackers, no third-party cookies.
- Every script is same-origin and bundled;
script-src 'self'with nounsafe-inline. - Static site — there is no server to compromise; the database is reached under row-level security.
- Full source of this posture check is on the page you are reading.