Skip to main content

    Transparency · Built in public

    Website Health

    I hold my own site to the bar I set for the products I build. This page is the proof, not a claim: the performance numbers below are measured live in your browser right now, and the security headers are fetched live from this site. Each area also has the product reasoning behind the decision, because how you think is the point.

    API & Service Status

    Live reachability checks, run from your browser right now, for the services this site depends on. Why: honest, real-time status beats a static 'everything's fine'.

    Checking services…

    Website

    Vercel edge / static hosting

    Checking…

    Forms & Newsletter API

    Supabase Edge Functions

    Checking…

    Bot protection

    Google reCAPTCHA

    Checking…

    Reachability and round-trip time from your location, re-checked every minute. A red dot means your browser could not reach that service.

    Performance

    Prerendered static pages (SSG), a self-hosted subset of the fonts, per-locale bundle-splitting, and third-party scripts (reCAPTCHA) loaded only on demand. Why: speed is a feature and a trust signal; the fastest request is the one you never make.

    LCP

    Good: ≤ 2500 ms

    CLS

    Good: ≤ 0.1

    FCP

    Good: ≤ 1800 ms

    TTFB

    Good: ≤ 800 ms

    Live Core Web Vitals from your current page load (green = good, amber = needs improvement, red = poor). Numbers vary by device and network.

    Security

    A hash-based Content-Security-Policy with no inline or eval scripts, HSTS with preload, clickjacking and cross-origin protections, and a backend where the browser never touches the database. Why: defense in depth, and controls that fail closed, not open.

    Checking live headers…

    Fetched live from this site. Backend hardening (server-verified reCAPTCHA that fails closed, honeypots, IP-hash rate limiting, HMAC-signed deletion links, RLS-locked tables) is not shown here but is audited.

    Privacy & GDPR

    No visitor is tracked before they consent, and nothing loads that would leak their data to a third party by default. Why: privacy is not a setting to bolt on, it is a default to design in.

    Consent-gated. Essential-only by default; analytics load only after opt-in. No trackers fire on first load.

    Self-hosted fonts. Fonts are served from this domain, so visitor IPs never reach Google Fonts.

    No raw IP stored. Form and newsletter abuse checks use a salted one-way hash of the IP, never the raw address.

    Real right to erasure. A working, email-verified data-deletion flow permanently removes your data (GDPR Art. 17).

    Honest claims. Trust badges say 'Ready / Managed', not 'Compliant', unless there is evidence behind it.

    Disclosure. A security.txt contact and a controlling-language clause on the legal pages.

    Accessibility

    Built toward WCAG 2.2 AA (Ready, not externally certified): usable by keyboard, screen reader, and for people who need reduced motion. Why: an experience that excludes people is not finished.

    Keyboard & focus. Visible focus rings throughout and a skip-to-content link on every page.

    Reduced motion. Every animation, including the case-study diagrams, respects prefers-reduced-motion.

    Semantic structure. Proper landmarks, headings, labels and alt text for assistive tech.

    Contrast & targets. Text contrast and touch-target sizes meet the AA bar in both light and dark themes.

    Reliability & Process

    Nothing ships to production untested, and forms are hardened against abuse without punishing real people. Why: reliability is a product decision, and process is where quality actually comes from.

    Test-gated deploys. Route and translation-parity tests must pass before any build; promotion runs dev to qa to prod.

    Layered abuse defense. reCAPTCHA score + honeypot + server validation + IP-hash rate limiting, all fail-safe.

    Double opt-in. Newsletter sign-ups confirm by email; every message carries a working unsubscribe link.

    Graceful failure. Forms degrade to clear, specific messages (including 'too many attempts') instead of breaking.

    Want to verify any of this yourself? Open your browser's dev tools and check the response headers, run Lighthouse, or tab through the site with your keyboard. That is the point of building in public.

    Chat on WhatsApp