A while ago, “build a website” sat firmly in the not-for-me column. I read balance sheets, not stack traces. Then I started experimenting with AI tools, and the distance between an idea and a live, working site collapsed to an afternoon. That’s what people mean by vibe coding: you describe what you want, you iterate, and the machine handles the syntax. For someone from finance, it’s genuinely liberating.
But I noticed something in all the vibe-coding excitement online. Everyone celebrates the shipping. Almost nobody mentions the securing. The screenshots stop at “it’s live.”
In audit we have a phrase: the numbers are always downstream of the controls.
A clean-looking P&L means very little if there’s no control environment behind it. Software is no different. “It works” is the output. Security is the control environment that decides whether you can still trust that output tomorrow. Skipping it doesn’t make you faster — it just turns visible work into invisible risk.
So once I’d built my site with AI, I spent real time on the unglamorous half: adding security. Here are the five layers I put in, in plain English — plus a sixth I’d add the day this site outgrows a free host. Pretending a personal site is a fortress would be the precise opposite of how a CA is trained to think.
An encrypted connection (HTTPS)
Locks the pipe between a visitor and the site, so nobody on the same network can read or quietly alter what’s sent. It’s the padlock in the address bar.
A strict code policy (Content-Security-Policy)
The browser is told exactly which code, styles and resources are allowed to run — mine, and a short, named whitelist — and to refuse everything else. If anything malicious were ever injected, it simply wouldn’t execute.
A spam-proofed contact form
A hidden “honeypot” field that only bots fill in, plus a timing check no real person trips. Junk gets dropped before it ever reaches my inbox.
Clickjacking defence
Stops someone secretly embedding my page inside theirs to trick visitors into clicking things they never meant to. If the page senses it’s trapped in a frame it doesn’t own, it breaks out.
Safe links & privacy
Outbound links can’t manipulate the tab they came from, and the site doesn’t leak its full address to the places it links out to. Small, but it’s basic hygiene.
BonusOne more layer
Real security headers, for when you outgrow a free host
The five above are everything a free static host allows. The day this site moves to its own domain, routing it through Cloudflare’s free tier unlocks the headers GitHub Pages can’t send — HSTS (forces HTTPS, permanently), proper clickjacking protection, and protection against browsers mis-reading file types. All toggles in a dashboard, still no code. It’s the upgrade I’d reach for first.
A note on honesty
A static personal site has a small attack surface — no logins, no database, no payments. These layers are defence-in-depth and good hygiene, the same instincts a security-minded developer would apply. They are not “bank-grade,” and claiming otherwise would defeat the whole point.
No coding required. Paste this straight into your AI tool to add the same layers to your own site: