How This Site Is Secured
Last updated: July 2026
This page lists only the controls that are actually shipped in this site's code today, in plain language. Nothing below is aspirational, and nothing is omitted because it's inconvenient — see "What This Site Does Not Have" at the end.
Content Security Policy & Security Headers
Every response carries a strict, nonce-based Content-Security-Policy: scripts load only from this origin, using a fresh cryptographic nonce generated per request — nounsafe-inlineand no wildcard script sources. The policy also locks object-src to none, base-uri to this site, and form-actionto this site. Network connections from the page are limited to this origin, Supabase, and Vercel's own analytics endpoint — no other origin can receive data from a page load. The only cross-origin frame permitted is Calendly's scheduling widget.
Every response also sets:
- Strict-Transport-Security— one year, including subdomains, with the preload flag set (this site is eligible for browsers' built-in HSTS preload lists)
- X-Frame-Options: SAMEORIGIN — this site cannot be framed by another site
- X-Content-Type-Options: nosniff — browsers are blocked from MIME-sniffing responses into an unintended type
- A strict-origin-when-cross-origin Referrer-Policy — the full URL is only ever sent to this site itself
- A Permissions-Policy that disables geolocation, microphone, camera, and payment APIs by default
Data Storage & Row-Level Security
Every table in the database has Row-Level Security enabled. Tables that don't need a public write path run deny-by-default: no policy grants the anonymous or authenticated role any access at all. The table behind this site's lead-magnet capture additionally forcesRow-Level Security, so not even the table owner can bypass it over Supabase's REST API. The one table with a public entry point — contact form submissions — allows an anonymous insert constrained at the database level to the same shape already enforced by this site's own validation; reads, updates, and deletes stay restricted to the server.
This is defense-in-depth for the REST surface, not the mechanism that authorizes this site's own writes. This site's Server Actions write to the database directly, using a role that legitimately bypasses Row-Level Security, so Row-Level Security is not what validates or authorizes a form submission. The actual write guard is the combination described below: server-side validation, a honeypot, and IP-based rate limiting.
Secrets & Configuration
Database credentials, the email-delivery provider's API key, and any service-role credential live only in server-side environment variables. Next.js only exposes a variable to the browser if its name is explicitly prefixed NEXT_PUBLIC_— none of this site's secrets carry that prefix, and none are committed to source control. The only publicly-visible configuration is Supabase's project URL and its anonymous key — both are meant to be public and are constrained by the Row-Level Security described above, not by secrecy.
Forms: Validation, Honeypots & Rate Limiting
Every public form on this site — the contact form and the lead-magnet capture form — validates all input against a schema before anything touches the database, rejecting malformed or out-of-range values server-side rather than trusting client-side validation alone. Each also carries a hidden honeypot field: a bot that fills it in receives a fake success response, and nothing is persisted. Each is rate-limited per IP address, with a lower per-address ceiling and a global ceiling on submissions per minute, to blunt automated abuse without requiring a CAPTCHA.
No Third-Party Tracking
Analytics on this site are first-party and same-origin: Vercel Web Analytics, which reports back to this domain rather than a third party. There is no Google Analytics, no advertising pixel, no session-replay tool, and no third-party analytics or tracking script of any kind — the Content-Security-Policy above would block one even if it were added by mistake.
Vulnerability Disclosure
If you find a security issue on this site, please report it to david@davidmatousek.com. This site also publishes a /.well-known/security.txt file (RFC 9116) with the same contact, for automated security tooling.
What This Site Does Not Have
In the interest of not overstating this site's security posture: there is no web application firewall in front of this site, it has not undergone a third-party penetration test, and it holds no compliance certification (SOC 2, ISO 27001, or otherwise). The controls above are real and currently shipped — they are not a substitute for independent verification.