Last update: April 2026
A cybersecurity community has to show, not tell. This page is the "why behind the how": it lists the defensive choices we made for the site, the tools you can use to verify them, and where to report a problem.
Minimal PHP site: no user database, no login, no sessions, no uploads. Application-layer attack surface is reduced to the minimum (only the analytics endpoint, isolated). The source code will be open source on GitHub (footer link will appear once the repo is public).
HTTPS-only with HSTS (max-age 2 years). The salentosec.org domain is already in HSTS preload list by default (.dev TLD). salentosec.org has HSTS active and will be submitted to hstspreload.org after a stability period.
The site sends: strict Content-Security-Policy (default-src self, no inline), X-Content-Type-Options nosniff, X-Frame-Options DENY, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy disabling unneeded APIs (camera, mic, GPS, etc.), Cross-Origin-Opener-Policy same-origin. Headers are emitted from PHP to avoid colliding with other sites on the same virtualhost. Live verification: securityheaders.com/?q=salentosec.org
No external CDNs: all assets (fonts, JS, CSS) are served from our own domain. No external front-end libraries (no jQuery, no Bootstrap, no Tailwind runtime).
The salentosec.org domain is configured with SPF, DKIM and DMARC (reject policy) to prevent spoofing. Live verification: dmarcian.com/dmarc-inspector/ on salentosec.org.
If you find a vulnerability in the site or our services, write to ciao@salentosec.org. We publish a security.txt according to RFC 9116 with up-to-date contacts. We will not pursue legal action against good-faith reporters following standard responsible disclosure principles (no mass data exfiltration, no DoS, no public disclosure before the patch).
People who help us close security issues will be credited here (with their consent). The list is empty for now — we hope it stays that way as long as possible.
Public tools to check that what we said above is actually true: securityheaders.com (HTTP headers), ssllabs.com/ssltest (TLS config), observatory.mozilla.org (security overview), dnsviz.net (DNSSEC and DNS health), mxtoolbox.com (SPF/DMARC).
security.txt (RFC 9116): /.well-known/security.txt