🛡

Security Policy

Vulnerability disclosure process, security controls in place, and how to contact me if you find an issue with this portfolio. A cybersecurity professional should hold their own work to the same standard they apply to others.

🔒 Security Controls

The following controls are active on this site. Where a control is enforced by GitHub Pages infrastructure, that is noted explicitly.

✓ CSP (meta) ✓ HSTS (Cloudflare) ✓ No-Referrer ✓ No-Clickjack (GitHub Pages) ✓ No-MIME-Sniff (GitHub Pages) ✓ SRI (Bootstrap) ✓ Permissions-Policy ✓ security.txt (RFC 9116) ✓ Force HTTPS ✓ No unsafe-inline

Active Content Security Policy

# Content-Security-Policy (meta HTTP-Equiv)
default-src    'self'
script-src     'self' https://gc.zgo.at          # GoatCounter analytics only
style-src      'self'                            # unsafe-inline removed June 2026
connect-src    'self' *.goatcounter.com api.github.com
               lingering-surf-6d77.lamasubash107.workers.dev
               urlhaus-api.abuse.ch check.torproject.org
img-src        'self' data: *.goatcounter.com
media-src      'self'
font-src       'self'                            # data: removed — no data URI fonts used
frame-src      'none'
object-src     'none'
base-uri       'self'
form-action    'self'
manifest-src   'self'
               upgrade-insecure-requests

Permissions Policy (12 APIs disabled)

camera=()  microphone=()  geolocation=()  payment=()
usb=()  bluetooth=()  serial=()  midi=()
magnetometer=()  gyroscope=()  accelerometer=()
ambient-light-sensor=()

📋 External Audits

Third-party tools that independently verify the security posture of this site. Click any to run a live scan.

🔗 SecurityHeaders.com
HTTP response header grade. Checks CSP, HSTS, X-Frame-Options, Permissions-Policy and more.
🔗 Mozilla Observatory
Comprehensive scan covering TLS, headers, cookies, CSP strength and cross-origin policies.
🔗 SSL Labs
Qualys SSL/TLS configuration test. Checks cipher suites, certificate chain, and HSTS preload status.
🔗 Google Safe Browsing
Checks whether this domain is flagged for malware, phishing, or unwanted software.

📜 Vulnerability Disclosure Policy

I am a cybersecurity analyst and take the security of this site seriously. If you discover a vulnerability, I encourage responsible disclosure and will respond promptly.

What I ask of researchers

What I commit to

🎯 Scope

✓ In Scope

  • subashlamaprofile.pages.dev
  • subashlamaprofile.pages.dev/projects.html
  • subashlamaprofile.pages.dev/security.html
  • XSS / CSP bypass
  • Clickjacking (if X-Frame-Options bypassed)
  • Sensitive data exposure in HTML/JS source
  • Content injection
  • Service worker scope abuse

✗ Out of Scope

  • GitHub Pages infrastructure (report to GitHub)
  • GoatCounter analytics service
  • GitHub API endpoints
  • Third-party CDN behaviour
  • Denial of service attacks
  • Social engineering
  • Physical attacks
  • Automated scanning without prior notice

📩 How to Report

Please use one of the following channels. Email is preferred for sensitive findings.

Email (preferred): lamasubash107@gmail.com
Subject line: [Security] <brief description>
security.txt: /.well-known/security.txt (RFC 9116)
Anonymous via Tor: 🥵 .onion mirror (coming soon)
GitHub Issues: Not recommended for security vulnerabilities — use email instead.

🥵 The Tor hidden service allows anonymous vulnerability reporting without exposing your IP address. Accessible only via Tor Browser.

🕐 Security Changelog

A record of security improvements made to this site over time.

June 2026
Migrated from GitHub Pages to Cloudflare Pages. All security headers now delivered as real HTTP response headers via _headers file. SecurityHeaders.com grade upgraded from C → A+. Added Early Hints (Link preload headers) for CSS, JS, and poster image. HSTS upgraded to max-age=63072000; includeSubDomains; preload. Added Cross-Origin-Resource-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy headers. CSP now enforced as HTTP header not meta tag. Immutable cache headers added for all static assets.
June 2026
Added Permissions-Policy meta header disabling 12 browser APIs. Added SRI hash to Bootstrap CSS. Replaced fake dark web scan widget with real threat intelligence links. Real-time threat feed replaced with live URLhaus (abuse.ch) data. Removed misleading XSS Protection badge.
June 2026
Implemented Content Security Policy via meta http-equiv. Added Referrer-Policy: no-referrer. Added upgrade-insecure-requests directive. Configured GoatCounter analytics in CSP connect-src.
June 2026
Added security.txt per RFC 9116 with contact, scope, and expiry fields. Added Canonical and Policy directives.
March 2025
Initial portfolio deployed to GitHub Pages. HTTPS and HSTS enforced by platform. X-Frame-Options: deny and X-Content-Type-Options: nosniff set by GitHub Pages infrastructure.

☁ Cloudflare Security Infrastructure

This site is proxied through Cloudflare Pages, which provides the following security layers beyond what the application code controls:

✓ WAF — OWASP managed rules ✓ Bot Fight Mode ✓ DDoS protection (always-on) ✓ TLS 1.3 + 1.2 enforced ✓ HTTP/3 (QUIC) ✓ Early Hints (HTTP 103) ✓ Page Shield (JS integrity) ✓ Turnstile (bot verification) ✓ Pages Functions (serverless) ✓ CSP violation reporting ✓ KV storage (submissions) ✓ Web Analytics (privacy-first)

Live Health Check

The /api/health endpoint returns real-time Cloudflare PoP, TLS version, HTTP protocol, and serving country. Use it to verify the site is live and which data centre is serving you.

Live Endpoints

Security Analytics

Cloudflare provides real-time attack analytics visible in the dashboard: WAF events, bot challenges, firewall triggers, and blocked requests are logged per-request. CSP violations are additionally captured via the /api/csp-report Pages Function.

🏆 Acknowledgements

Security researchers who have responsibly disclosed issues with this site will be listed here with their permission. No disclosures have been received yet.

Be the first — report a finding to be listed here.