thefullstackciso.com
Security, shipped
Vol. I — No. 1Falls Church, Va.Thursday, July 16, 2026Price: free, always

the posture desk

Does this site pass its own audit?

A security writer’s site should be exemplary. This page checks the live response headers of the page you are reading, in your browser, right now.


ControlExpectedLive
Content-Security-Policyno inline-script holesscript-src 'self'checking…
Strict-Transport-SecurityHTTPS pinnedmax-age ≥ 2ychecking…
X-Content-Type-Optionsno MIME sniffingnosniffchecking…
Referrer-Policyleak-resistant referersstrict-origin-when-cross-originchecking…
Permissions-Policypowerful features deniedcamera/mic/geo offchecking…
X-Frame-Optionsclickjacking blockedDENYchecking…
/.well-known/security.txtdisclosure contact publishedreachablechecking…

Last checked · checked in your browser, not cached.

also true of this site
  • Fonts are self-hosted — no third-party request to load type.
  • No analytics, no trackers, no third-party cookies.
  • Every script is same-origin and bundled; script-src 'self' with no unsafe-inline.
  • Static site — there is no server to compromise; the database is reached under row-level security.
  • Full source of this posture check is on the page you are reading.