Gabriele SalatiPortfolio — sysadmin, mail & self-hosting

Colophon

This site is its own demonstration

Not a portfolio that claims privacy-respecting engineering: one that shows it, and lets you verify every claim from your own browser. Here is how it is built, and why.

1. A dedicated virtualhost

This site is not a page bolted onto the blog: it runs on a separate vhost (portfolio.gabrielesalati.eu), with its own headers and its own Content-Security-Policy. Separating concerns lets me harden this zone aggressively without constraining the rest — and lets me describe it precisely.

Verify: the blog on www.gabrielesalati.eu and this domain answer with different configurations. Two distinct server blocks.

2. A JS-aware CSP: no inline scripts

The policy is script-src 'self' with no 'unsafe-inline' and no 'unsafe-eval'. The practical consequence: no inline <script>, no onclick= in the HTML. All JavaScript lives in one external, self-hosted file as pure progressive enhancement. This is not a constraint endured — it is the discipline that closes entire classes of XSS.

Verify: open DevTools → "Sources" tab. The only script is /assets/js/portfolio.js, served by this domain.

3. Zero third parties

No CDN, no Google Fonts, no analytics, no cookies, no beacons. The fonts are the system stack: zero fonts downloaded, nothing to fingerprint. The only network request the JavaScript can make goes to this same origin.

Verify: DevTools → "Network", reload. Count the domains: there is exactly one. The widget below confirms it on its own.

4. TLS 1.3, no NIST curves

TLS 1.3 only. Key exchange over X25519 (no NIST curves), ChaCha20-Poly1305 and AES-GCM ciphers. Let's Encrypt certificate managed in-house, no third-party TLS terminator, no Cloudflare in front.

Verify: openssl s_client -connect portfolio.gabrielesalati.eu:443 -tls1_2 must fail. Only 1.3 answers.

5. Full HTTP hardening

Every response carries: HSTS, X-Content-Type-Options: nosniff, Referrer-Policy: no-referrer, a Permissions-Policy that switches off camera, microphone and geolocation, X-Frame-Options: DENY and the Cross-Origin policies. Not words: headers your browser enforces.

Verify: use the button below, or curl -sI https://portfolio.gabrielesalati.eu/.

6. Works without JavaScript too

Turn JS off: the site stays whole and readable. JavaScript only adds the interactive check below — an enhancement, never a requirement.

Don't trust me — verify

This check runs entirely in your browser, using only this domain's script: it fetches this page's headers and shows them here.

See the projects →