This repository contains the code for my personal website, which showcases my IT experience, projects, and resume.
- HTML5, CSS3, JavaScript
index.html– Homepagepport.css– Stylespport.js– JavaScript functionalityResume.Designed.Public.pdf– Updated resumeResume.ATS.Public.pdf– ATS-friendly resume
Open index.html in your browser or deploy to a static hosting service (e.g., AWS S3 + CloudFront).
This website implements modern web security practices using CloudFront response headers, Content Security Policy (CSP), and Subresource Integrity (SRI) for external resources.
1️⃣ HTTPS & TLS Enforced HTTPS only.
TLSv1.2_2021 enabled (recommended) with optional TLSv1.3_2025 support for modern browsers.
HTTP/2 enabled for faster performance.
HTTP → HTTPS redirects and HSTS ensure encrypted traffic.2️⃣ HTTP Security Headers Strict-Transport-Security (HSTS)
max-age=31536000; preload; includeSubDomains
Reason: Forces HTTPS and HSTS for subdomains.
X-Content-Type-Options
nosniff
Reason: Prevents MIME type sniffing to reduce XSS risk.
X-Frame-Options
DENY
Reason: Blocks the site from being embedded in iframes to prevent clickjacking.
Referrer-Policy
strict-origin-when-cross-origin
Reason: Limits the referrer information sent to other sites while allowing internal tracking.
Content-Security-Policy (CSP)
default-src 'self';
connect-src 'self' https://api.github.com;
script-src 'self' https://cdn.jsdelivr.net https://cdnjs.cloudflare.com;
style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://cdnjs.cloudflare.com;
font-src 'self' https://fonts.gstatic.com https://cdnjs.cloudflare.com;
img-src 'self' data: https:;
object-src 'none';
base-uri 'self';
Inline scripts/styles are protected using SRI hashes.
Permissions-Policy
geolocation=(), camera=(), microphone=(), payment=(), fullscreen=()
Reason: Disables unused browser features to reduce attack surface.
X-Permitted-Cross-Domain-Policies
none
Reason: Prevents legacy Flash/Adobe cross-domain policy attacks.
3️⃣ Subresource Integrity (SRI) External scripts and stylesheets from CDNs include SRI hashes to ensure they have not been tampered with:
<link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Orbitron:wght@600&family=Inter:wght@400;600&display=swap" integrity="sha384-uGTMR15+5CCKov131zL8GQeyqubqytr4M18FhdnhS7cf8hLrURthi5lXuB2ZT0G7" crossorigin="anonymous">
<link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/6.4.0/css/all.min.css" integrity="sha384-iw3OoTErCYJJB9mCa8LNS2hbsQ7M3C0EpIsO/H5+EGAkPGc6rk+V8i04oW/K5xq0" crossorigin="anonymous">
<script src="https://cdn.jsdelivr.net/particles.js/2.0.0/particles.min.js" integrity="sha384-d+UOwmNNIC7V4izkTAKSXzWhjC2GxiS9PTykO1XdOPC3nc2z65UOS7SP6QdKPA70" crossorigin="anonymous"></script>
Any modification to the external file will be blocked by the browser until the hash is updated.
Only pinned versions of CDN libraries are used to ensure stability.
4️⃣ Content Security Policy Notes
Inline styles currently use 'unsafe-inline' for simplicity.
All external resources are allowed only from trusted CDNs.
Optional future improvement: replace 'unsafe-inline' with CSP hashes to fully eliminate inline style risk.
This website is fully secured for a personal static portfolio:
- HTTPS only, with strong TLS/ciphers
- CSP for trusted resources
- Inline protection via SRI
- Clickjacking and MIME-sniffing protections
- Disabled unused browser features
- Legacy plugin protections (X-Permitted-Cross-Domain-Policies)