How this site is secured

A security leader's website should show its work.

Anyone can claim to take security seriously. This page lists what this site actually does — verify it yourself with any header scanner.

Strict Content Security Policy: Every resource on this site must come from this domain. No inline scripts, no inline styles, no exceptions. Default is 'none' — everything else is opted in explicitly.
HSTS with preload: Your browser is told to only ever talk to this site over HTTPS, for the next two years, including subdomains.
No third parties. None.: No analytics, no trackers, no CDN fonts, no external requests of any kind. The fonts are hosted here. What you do on this site stays between you and this site.
security.txt: Found something? /.well-known/security.txt tells you exactly how to reach me. Responsible disclosure is welcome and answered.
Hardened headers: X-Content-Type-Options, Referrer-Policy, Permissions-Policy, frame-ancestors, COOP and CORP — the full set, not just the ones scanners check.
Minimal attack surface: The site is static files plus exactly one API function (the contact form), which validates input, rate-limits, and sends plain text only.