Security & Privacy — Arthur Vogel

This site practices what it preaches.

Every request to this site can be verified live against the audit tools listed below. No marketing badges — just headers, hashes, and addresses anyone can look up.

Audit targets

These are the target ratings and can be re-checked live at any time. A successful audit run will be documented here once the domain is under load.

Mozilla Observatory: Target: A+; Verify live →
SSL Labs: Target: A+; Verify live →
securityheaders.com: Target: A+; Verify live →
Lighthouse: Target: 100 / 100 / 100 / 100; Verify live →

What is technically enforced

All headers are set by the nginx container and are visible on every response in DevTools (Network tab → Headers).

HSTS preload-ready: max-age=63072000; includeSubDomains; preload
Strict CSP: default-src 'self'; no unsafe-eval, no inline scripts, frame-ancestors 'none'
X-Frame-Options: DENY (defense-in-depth on top of CSP frame-ancestors)
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: every unused browser feature (camera, microphone, geolocation, USB, sensors …) disabled
Cross-origin isolation: COOP same-origin · CORP same-origin · COEP require-corp
Transport: TLS 1.3 via Let’s Encrypt at the Traefik edge, automatic renewal

Example: HEAD request against the live domain

$ curl -sI https://arthur.levit-cloud.de/ | sort
HTTP/2 200
content-security-policy: default-src 'self'; script-src 'self'; ...; frame-ancestors 'none'
cross-origin-embedder-policy: require-corp
cross-origin-opener-policy: same-origin
cross-origin-resource-policy: same-origin
permissions-policy: accelerometer=(), camera=(), geolocation=(), microphone=(), ...
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=63072000; includeSubDomains; preload
x-content-type-options: nosniff
x-frame-options: DENY

Privacy stance

Verifiable in the DevTools network tab: every request is served exclusively from arthur.levit-cloud.de.

0 cookies: no Set-Cookie on any path
0 LocalStorage / SessionStorage: no browser storage of any kind is used
0 third-party requests: Inter font is self-hosted; no CDN, no Google Fonts
0 trackers: no analytics, no pixels, no tag manager
Server logs: IP truncated after 7 days, fully deleted after 14 days
Email: ROT13-obfuscated with click-to-reveal (no plaintext mailto)

Security contact

Please report security findings responsibly and preferably encrypted.

/.well-known/security.txt (RFC 9116)
/.well-known/pgp-key.txt
PGP fingerprint: B5AB AFAD 3CFB 938A 5A79 5915 11D9 5833 A420 F0F5 (RSA 4096, valid until 2028-04-27)
Email: a.vogel@avotech.de