The Challenge

Security and DevOps firms face a credibility paradox: their website is often the first technical artifact a prospective client evaluates. A smart CISO runs SecurityHeaders.io, checks SSL Labs, and looks for outdated dependencies before ever picking up the phone. A site with missing Content Security Policy headers, clickjacking exposure, or a CMS with an exposed admin login page immediately undermines the trust you're trying to build with your security credentials.

Most web development agencies build functional sites, but they don't security-test them. WAF rules are an afterthought if they exist at all. Security headers are left at browser defaults. Contact forms route through third-party services without reviewing their data handling. For most businesses this is acceptable; for a security firm, it's a liability.

We build sites specifically for firms in the security and DevOps space — static where possible, CDN-served for performance and DDoS resilience, WAF-protected, with security headers scored at A+ on SecurityHeaders.io from day one. The design reflects the premium nature of the service; the security posture reflects the expertise being sold.

Signs You Need This

  • Your current site is built on WordPress or another CMS with an exposed /wp-admin or /admin path
  • SecurityHeaders.io gives your site a D or F grade due to missing CSP, HSTS, or X-Frame-Options
  • Your contact form sends data through a third-party service without a reviewed data processing agreement
  • Your site doesn't have WAF protection — direct traffic to your origin without filtering
  • Google PageSpeed scores below 80 on mobile, impacting both SEO and credibility
  • You're about to approach enterprise prospects who will perform vendor security assessments

How We Approach It

01

Threat Model & Design Phase

Before writing a line of code, we document the threat model for the site: what data it processes (contact form submissions, no user accounts), what the attack surface looks like (static files + form endpoint), and what the relevant risks are (defacement, data interception, form spam, DDoS). We eliminate attack surface by design — static HTML/CSS/JS with no server-side execution means no SQL injection, no server-side RCE, no CMS credential stuffing. Design mockups are reviewed for dark patterns that could undermine trust (e.g., pre-checked email opt-ins, hidden data collection).

02

Static Build & Performance-First Development

We build with vanilla HTML, CSS, and JavaScript — no heavy frameworks that add JavaScript bundle weight for a brochure site. Images are next-gen formats (WebP, AVIF) with explicit width/height attributes to prevent layout shift. Fonts are loaded with font-display: swap and preconnect hints. CSS is minified and inlined for critical path; non-critical scripts load with defer. The goal is a Lighthouse performance score above 95 on mobile before any CDN optimization is applied, meaning fast perceived load even on 3G connections that enterprise prospects may be reviewing from.

03

S3 + CloudFront Deployment with Origin Access Control

Static files are deployed to a private S3 bucket with all public access blocked at the bucket level. CloudFront serves as the only access path via Origin Access Control (OAC), meaning the origin is never directly accessible — all traffic goes through CloudFront's edge network. We configure a custom error response so 403s from S3 return a branded 404 page rather than an AWS error. SSL is managed through AWS Certificate Manager with automatic renewal. CloudFront's DDoS protection (AWS Shield Standard) is inherited with no additional configuration.

04

Security Headers & WAF Configuration

Security headers are set at the CloudFront level using a response headers policy — not in HTML meta tags where they can be removed or overridden. We configure: Strict-Transport-Security with a 1-year max-age and includeSubDomains, Content-Security-Policy that allowlists only the specific domains the site loads resources from, X-Frame-Options DENY, X-Content-Type-Options nosniff, Referrer-Policy strict-origin-when-cross-origin, and Permissions-Policy disabling unnecessary browser APIs. AWS WAF is configured with AWS Managed Rules (Common Rule Set, Known Bad Inputs) plus a rate-based rule to throttle aggressive crawlers and scrapers.

infra/cloudfront-security-headers.tfTERRAFORM
# CloudFront response headers policy — all security headers set server-side
resource "aws_cloudfront_response_headers_policy" "security_headers" {
  name = "novaguard-security-headers"

  security_headers_config {
    strict_transport_security {
      access_control_max_age_sec = 31536000   # 1 year
      include_subdomains         = true
      preload                    = true        # Submit to HSTS preload list
      override                   = true
    }

    content_security_policy {
      # Strict CSP: only load resources from our own domain + specific allowlisted CDNs
      content_security_policy = join("; ", [
        "default-src 'self'",
        "script-src 'self' 'nonce-{{NONCE}}' https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/",
        "style-src 'self' https://fonts.googleapis.com",
        "font-src 'self' https://fonts.gstatic.com",
        "img-src 'self' data: https:",
        "connect-src 'self' https://api.novaguardco.com",
        "frame-src https://www.google.com/recaptcha/",
        "frame-ancestors 'none'",
        "base-uri 'self'",
        "form-action 'self'"
      ])
      override = true
    }

    frame_options           { frame_option = "DENY"; override = true }
    content_type_options    { override = true }  # X-Content-Type-Options: nosniff
    xss_protection          { mode_block = true; protection = true; override = true }
    referrer_policy         { referrer_policy = "strict-origin-when-cross-origin"; override = true }
  }

  custom_headers_config {
    items {
      header   = "Permissions-Policy"
      value    = "camera=(), microphone=(), geolocation=(), payment=()"
      override = true
    }
  }
}
05

Contact Form Security & Launch Testing

Contact forms are wired to a serverless handler (AWS Lambda + API Gateway) or a reviewed third-party service (Formspree with reviewed DPA) — never directly to an email address exposed in HTML source. Form submissions are validated server-side for field types and lengths, honeypot fields filter automated submissions, and reCAPTCHA v3 provides bot scoring without friction for real visitors. Pre-launch, we run Lighthouse, SecurityHeaders.io, SSL Labs, and a manual review of all exposed paths and response headers. The site ships with an A+ security header score and SSL Labs A grade as standard.

Tools We Use

Our stack prioritizes security, performance, and zero ongoing maintenance burden — no CMS to patch, no plugin vulnerabilities to track.

Vanilla HTML/CSS/JS AWS S3 AWS CloudFront AWS WAF AWS ACM AWS Lambda Lighthouse SecurityHeaders.io

Common Mistakes We Prevent

  • Using WordPress or a CMS for a brochure site — introducing a patch lifecycle, exposed admin paths, and plugin supply chain risk for a site that has no dynamic content requirements
  • Setting security headers in HTML meta tags instead of HTTP response headers — meta tags are parsed by browsers but not respected for CSP enforcement in the same way, and can be stripped by proxies
  • Deploying S3 with public access enabled and relying on CloudFront as the only layer — a direct S3 URL bypass can serve content without WAF or security headers
  • Contact forms that reveal the destination email address in HTML source or JavaScript — enabling spam harvesting and direct email campaigns that bypass form validation

Key principle: A security firm's website should be able to withstand the same scrutiny it applies to client environments. We build sites that pass automated security scanning tools without exceptions or manual exclusions — because those are the same tools your prospects are running against you before the first call.

What You Get

  • Fully static HTML/CSS/JS codebase with no CMS dependency and no ongoing patch lifecycle
  • AWS S3 + CloudFront deployment with Origin Access Control and CloudFront-only origin access
  • AWS WAF configuration with managed rule groups and rate-based rules for scraper protection
  • Security response headers policy at the CloudFront level — A+ on SecurityHeaders.io
  • SSL Labs A grade with HSTS preload-ready configuration and automatic certificate renewal
  • Secure contact form with server-side validation, honeypot filtering, and bot scoring
  • Lighthouse performance score 90+ on mobile with documented optimization decisions

Timeline & What to Expect

Week 1 Threat model, design mockups, content gathering, brand alignment review
Week 2 Static site build — all pages, responsive layout, contact form implementation
Week 3 AWS infrastructure setup, WAF rules, security headers, Lighthouse optimization, SecurityHeaders.io validation
Week 4 Launch, DNS cutover, post-launch validation, documentation handover

After launch, the site requires no ongoing maintenance beyond content updates — there's no CMS to patch, no plugins to update, no server to manage. Content changes are simple HTML edits that your team can make directly, or we can handle them on a retained basis. CloudFront cache invalidation is scripted and included in the handover documentation.

Frequently Asked Questions

Do you use a CMS?

No — by deliberate design choice. A brochure site for a security firm has no dynamic content requirements that justify a CMS. CMSes introduce plugin supply chain risk, credential stuffing on admin paths, and ongoing patch obligations that are disproportionate to the content update frequency of most corporate sites. We build static HTML that your team can edit directly, with a simple deployment pipeline so updates go live via a git push.

Can we update the content ourselves after handover?

Yes. The codebase is standard HTML/CSS/JS with no build tooling required for content edits. We document the file structure, how to update each section, and how to deploy changes. For teams without HTML experience, we can configure a simple headless CMS (like Netlify CMS or Decap) that writes directly to the static files without introducing server-side complexity.

How long does the build take?

Four weeks is the standard timeline for a complete build from design through launch. The main dependency is content — copy, team bios, service descriptions, and any case studies or portfolio items you want to include. Teams who have existing content ready can move faster; teams who need copywriting support will add 1-2 weeks. We provide a content brief at the start of Week 1 so you know exactly what you need to prepare.

When This Is the Right Fit

This engagement is right for you if you're a security, DevOps, or cloud consulting firm whose website needs to reflect the technical credibility of the service. It's particularly valuable if you're actively pursuing enterprise clients who perform vendor security assessments, or if you're rebuilding a site that's currently on WordPress and causing security anxiety. It's also the right choice if you want a site that's fast, cheap to operate (CloudFront + S3 costs less than $5/month for most corporate sites), and genuinely low-maintenance.

This is not the right fit if you need e-commerce, user accounts, a member portal, or a blog with dozens of posts per month. Those requirements need dynamic infrastructure. For those cases, we can still provide the security review and hardening of whatever platform you choose, even if we're not building the site from scratch.