Last updated: Right after I watched that cybersecurity documentary and got paranoid
This policy explains how I keep your data secure, which is like trying to protect a sandcastle from the tide, but with more encryption and fewer seashells.
Welcome to my security policy! This document is probably more exciting than it sounds, and definitely more honest than most security policies you've read. I'll explain how I protect your information using a combination of industry best practices, common sense, and a healthy dose of paranoia.
Think of me as your friendly neighborhood Spider-Man, but instead of fighting crime, I'm fighting data breaches and poorly configured servers.
Every page on this website uses HTTPS, which means all communication between your browser and my server is encrypted. It's like having a conversation in a secret code, except the code is really, really good and I didn't make it up myself.
This protects your data from eavesdroppers, man-in-the-middle attacks, and nosy neighbors with too much time on their hands.
My website is hosted on Vercel, which is like having a team of security experts watching over my site 24/7, except they're much more qualified than I am and they probably drink less coffee.
Vercel handles things like DDoS protection, automatic security updates, and making sure my website doesn't accidentally become part of a botnet (which would be embarrassing for everyone involved).
I keep all my website components and dependencies updated, because outdated software is like wearing a "Hack Me" sign on the internet. I check for updates more often than I check my social media, which is saying something.
I've implemented the most secure data storage solution known to mankind: not storing data at all. It's like having an impenetrable vault by not owning anything worth stealing. Revolutionary, I know.
This approach has a 100% success rate against data breaches, mainly because there's no data to breach. It's the digital equivalent of being too broke to get robbed.
When you submit a contact form, your message goes directly to my email via a secure form service. It's like passing a note in class, except the note is encrypted and the teacher is Gmail.
All the analytics data goes straight to Google's servers, where it's protected by people who actually know what they're doing and have budgets larger than my monthly coffee expenses.
I use Google Analytics to understand how people use my website. Google has pretty good security practices, considering they're one of the biggest tech companies in the world and have entire teams dedicated to not getting hacked.
The data collected is anonymized and aggregated, which means Google knows that someone from your general area visited my website, but they don't know it was specifically you or that you spent 20 minutes looking at my project screenshots.
When you contact me through the website, your message might be processed by email service providers that have security certifications I can't even pronounce. They encrypt data at rest and in transit, which is more than I can say for my personal email account.
Only I have access to the website's backend, and I protect my accounts with strong passwords and two-factor authentication. My password is not "password123" or my birthday, despite what my family might guess.
I follow secure coding practices, which means I don't leave obvious vulnerabilities in my code like SQL injection points or XSS vulnerabilities. I also don't hardcode passwords or API keys, because that would be like leaving your house key under a doormat labeled "House Key."
I monitor my website for unusual activity, though to be honest, any activity is unusual since I don't get that many visitors. If someone tries to hack my portfolio website, I'll probably notice because my analytics will suddenly show more traffic than usual.
Here's the thing about having no database and minimal data collection - if something goes wrong, I'm probably the one who should be worried, not you:
If someone hacked my website looking for user data, they'd find about as much as someone looking for water in a desert. The most sensitive information they'd get is my embarrassing commit messages and maybe some TODO comments I forgot to remove.
Honestly, if there's a data breach, I'd be more worried about someone stealing my portfolio content or discovering how many times I've googled "how to center a div."
If someone hacked my website and changed it to display inappropriate content, that would be embarrassing for me and potentially annoying for you, but your personal data wouldn't be at risk because I don't have any.
The biggest risk would be damage to my professional reputation and my mom asking why my website is showing weird stuff.
If my email account got hacked, someone could potentially see messages you've sent me through the contact form. But let's be honest - if you're contacting me, it's probably about work, not state secrets.
The hacker would mostly find emails about project inquiries, spam from recruiters, and my ongoing correspondence with various customer service departments.
Security is a team effort, and you're part of the team! Here are some things you can do to protect yourself:
If a security incident occurs, here's what I'll do (after questioning all my life choices):
The silver lining of being a small, database-free operation is that most security incidents would affect me more than you. It's like being too small for pirates to bother with - not glamorous, but relatively safe.
If you discover a security vulnerability on my website, please let me know! I promise not to get defensive or blame you for finding it. Security researchers are like friendly hackers who point out problems instead of exploiting them, and I appreciate that.
You can report security issues through my contact form, or email me directly. Please include as much detail as possible about the vulnerability, but don't include any sensitive data you might have accessed. Think of it like telling someone their fly is down - helpful, but you don't need to provide photographic evidence.
I'll respond as quickly as possible and work to fix any legitimate security issues. I can't offer bug bounties (this is a portfolio website, not a Fortune 500 company), but I can offer my sincere gratitude and maybe a recommendation on LinkedIn.
This security policy was written by someone who takes security seriously but doesn't take himself too seriously. I believe that transparency and humor can coexist with robust security practices, and that most people appreciate honesty over corporate jargon.