Most “we take security seriously” pages are prose. This one is instrumentation: the panels below fetch this site’s own headers, DNS records and endpoints while you read, and show you exactly what they find. If something fails, you’ll see that too.
Hand-written static HTML, CSS and vanilla JavaScript — no framework, no build pipeline beyond inlining the stylesheet. Served from Cloudflare Pages at the edge, with exactly one server-side function (it serves the Markdown version of the homepage for AI agents). Fonts are self-hosted. Images are WebP. The interactive pieces — the domain health checker, the terminal, the live panels on this page — run entirely in your browser.
Fetched from HEAD / the moment you loaded this page.
The same engine as the domain health check, pointed at this domain — queries go from your browser to Cloudflare DNS (1.1.1.1).
Endpoints published for AI agents, crawlers and security researchers — each one fetched and verified right now.
Because the site is the pitch. A consultant who promises “systems that quietly just work” should be able to point at one — small enough to audit by hand, fast because there’s nothing to slow it down, private because there’s nothing collecting you. The email stack (SPF, DMARC at enforcement, MTA-STS, TLS reporting, a published BIMI mark) and the disclosure files (security.txt, PGP) are the same posture I set up for clients — deployed here first, where anyone can check my work. Which, if you scrolled this far, you just did.
It isn’t perfect, and the panels above will happily say so when something drifts. That’s the point: trust built on measurement, not adjectives.
Email me — or start by running your own domain through the health check.