Skip to main content

Security

Last updated: March 25, 2026

Overview

Security is a foundational priority for justinbartak.ai. This page outlines the technical measures and practices in place to protect visitors and ensure the integrity of the Site.

Transport Security

  • HTTPS everywhere: All connections are encrypted using TLS. HTTP requests are automatically redirected to HTTPS.
  • HSTS: HTTP Strict Transport Security is enforced with a 2-year max-age, includeSubDomains, and preload directives, ensuring browsers always connect via HTTPS.

Content Security Policy

The Site implements a static Content Security Policy (CSP) applied via response headers:

  • Script source restriction: Script sources are restricted to 'self' and allowlisted analytics domains (PostHog, Vercel). 'unsafe-inline' is permitted for script-src as required by Next.js hydration architecture — an accepted tradeoff.
  • No eval: 'unsafe-eval' is not permitted, blocking dynamic code execution.
  • Frame protection: frame-src 'none' prevents the Site from being embedded in iframes, mitigating clickjacking attacks.
  • Object restriction: object-src 'none' blocks Flash and other plugin-based content.

Additional Security Headers

  • X-Content-Type-Options: nosniff — prevents MIME type sniffing.
  • X-Frame-Options: DENY — prevents embedding in frames.
  • Referrer-Policy: strict-origin-when-cross-origin — limits referrer information sent to external sites.
  • Permissions-Policy: Camera, microphone, and geolocation access are explicitly disabled.

Security Headers

The Site's security headers are independently verified and graded. You can view the full report:

View Security Headers Report →

Application Security

  • No server-side database: The Site is statically generated with no backend database, eliminating SQL injection and data breach vectors.
  • Input validation: All dynamic routes (e.g., blog slugs) are validated against strict allowlists and checked for path traversal before file access.
  • MDX sandboxing: Blog content rendered via MDX uses an explicit component allowlist, restricting rendering to safe HTML elements only.
  • Dependency management: Dependencies are regularly audited with npm audit and kept current.

Third-Party Security

  • Minimal third-party scripts: Only PostHog (analytics) and Vercel Analytics are loaded. Both are trusted, widely-used services with documented security practices.
  • External links: All external links use rel="noopener noreferrer" to prevent tab-napping and referrer leakage.
  • No advertising or tracking networks: No ad networks, social media trackers, or cross-site tracking pixels are present.

Infrastructure

  • Hosting:The Site is hosted on Vercel's edge network, which provides DDoS protection, automatic SSL certificate management, and global CDN distribution.
  • Static assets: Images and media are served with immutable cache headers (1-year max-age), reducing server load and ensuring content integrity.
  • No environment secrets exposed: All sensitive configuration (API keys) is stored in environment variables that are never committed to version control.

Responsible Disclosure

If you discover a security vulnerability on this Site, I encourage responsible disclosure. Please contact me directly at legal@justinbartak.ai with details of the issue. I will acknowledge receipt within 48 hours and work to address the vulnerability promptly.

Please do not publicly disclose the vulnerability until it has been addressed.

Contact

For security-related questions or concerns:

Justin Bartak
legal@justinbartak.ai
justinbartak.ai

← Back to home