<!doctype html>
<!--
  trentpower.fr · /security/

  static, semantic, self-managed, privacy-first.
  architecture · controls · public verification surface · residual risk.
  no analytics. no cookies. no external assets.

  simplicity over complexity.
  transparency over obscurity.
  verifiable integrity over trust assumptions.
-->
<html lang="en" dir="ltr">
<head>
  <!-- head · foundations -->
  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1, viewport-fit=cover">
  <meta name="format-detection" content="telephone=no">
  <meta name="color-scheme" content="light dark">
  <meta name="theme-color" content="#E9E5DC">

  <!-- head · language bootstrap -->
  <script>(()=>{const e=document.documentElement;e.classList.add('js');try{const m=localStorage.getItem('tp-theme');if(m==='dark'||m==='light')e.dataset.theme=m}catch(_){}})();</script>

  <!-- head · document identity -->
  <title>Security &amp; Threat Model · Trent Power</title>
  <meta name="description"
        content="Security architecture, operational controls, public verification surfaces and residual risks">
  <meta name="document-edition" content="2026-05-19">
  <link rel="canonical" href="https://trentpower.fr/en/security/">
  <link rel="alternate" hreflang="en" href="https://trentpower.fr/en/security/">
  <link rel="alternate" hreflang="fr" href="https://trentpower.fr/fr/securite/">
  <link rel="alternate" hreflang="x-default" href="https://trentpower.fr/">

  <!-- head · indexing and discovery -->
  <meta name="robots" content="index, follow">
  <meta name="referrer" content="no-referrer">

  <!-- head · authorship and identity -->
  <meta name="author" content="Trent Power">
  <link rel="author" href="/.well-known/attribution.txt">
  <link rel="alternate" type="application/ld+json" href="/.well-known/person.json">
  <link rel="alternate" type="text/plain" href="/llms.txt">
  <link rel="me" href="https://commons.wikimedia.org/wiki/File:Trent_Power_portrait.jpg">
  <link rel="me" href="https://www.linkedin.com/in/trentpower/">
  <link rel="me" href="https://orcid.org/0009-0002-2652-7188">
  <link rel="me" href="https://www.crunchbase.com/person/trent-power-3f52">

  <!-- head · rights and reuse -->
  <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/">

  <!-- head · social and sharing -->
  <meta property="og:type" content="website">
  <meta property="og:site_name" content="Trent Power">
  <meta property="og:title" content="Security &amp; Threat Model · Trent Power">
  <meta property="og:description" content="Security architecture, operational controls, public verification surfaces and residual risks">
  <meta property="og:url" content="https://trentpower.fr/en/security/">
  <meta property="og:locale" content="en_AU">
  <meta property="og:locale:alternate" content="fr_FR">
  <meta property="og:image" content="https://trentpower.fr/images/og/security-og.png">
  <meta property="og:image:width" content="1200">
  <meta property="og:image:height" content="630">
  <meta property="og:image:type" content="image/png">
  <meta property="og:image:alt" content="Security &amp; Threat Model · Trent Power">

  <!-- head · application surface -->
  <meta name="application-name" content="Trent Power">
  <meta name="apple-mobile-web-app-title" content="Trent Power">
  <link rel="icon" href="/favicon.ico" sizes="any">
  <link rel="icon" href="/favicon.svg" type="image/svg+xml">
  <link rel="apple-touch-icon" href="/apple-touch-icon.png">
  <link rel="manifest" href="/manifest.webmanifest" type="application/manifest+json">

  <!-- head · rendering and assets -->
  <link rel="stylesheet" href="/styles.css?v=2026-05-19.054a4cde" integrity="sha384-fYEHgB0He+5IuoYhIzz6e2cPIEhWnCCdKeiPffyYNzo1SI5Y3zJ7QgNwLJ2x77i5">
  <link rel="stylesheet" href="/print.css?v=2026-05-19.054a4cde" media="print">

  <!-- head · structured data -->
  <script type="application/ld+json">{"@context":"https://schema.org","@type":"WebPage","@id":"https://trentpower.fr/security/#page","url":"https://trentpower.fr/en/security/","name":"Security · Trent Power","description":"Security architecture, operational controls, public verification surfaces and residual risks","inLanguage":"en","isPartOf":{"@id":"https://trentpower.fr/#website"},"about":{"@id":"https://trentpower.fr/#trent-power"},"author":{"@id":"https://trentpower.fr/#trent-power"},"publisher":{"@id":"https://trentpower.fr/#trent-power"},"primaryImageOfPage":{"@type":"ImageObject","url":"https://trentpower.fr/images/og/security-og.png","width":1200,"height":630},"datePublished":"2026-02-15T00:00:00+00:00","dateModified":"2026-05-20T00:00:00+00:00"}</script>
</head>
<body data-page="security" data-layout="masthead" data-surface="record" data-masthead="brand-only" data-edition="2026-05-19">

<a href="#main" class="skip-link">Skip to content</a>

<!-- body · masthead -->
<header class="site-header" data-component="site-header">
  <div class="nav">
    <div class="nav-inner">
      <a class="nav-mark u-author" href="/en/" aria-label="Trent Power home"><span>Trent</span> <span>Power</span></a>
    </div>
  </div>
</header>

<!-- body · primary content -->
<main class="site security-page" id="main" tabindex="-1">
  <div class="page">

    <!-- primary · 01 · statement -->
    <p class="page-kicker">Security &amp; Threat Model</p>
    <h1 class="page-title hero-stack measure-tight"><span class="hero-line">Static.</span><span class="hero-line">Self-managed.</span><span class="hero-line">Verification-led.</span></h1>
    <div class="page-body">
      <p class="page-lede">How this site is hosted, what it protects, what it doesn't - and how anyone can verify it independently.</p>

      <!-- primary · 02 · architecture -->
      <section class="security-section" aria-labelledby="security-architecture-heading">
        <h2 class="security-section-heading" id="security-architecture-heading">1. Architecture</h2>
        <section class="verify-card card" aria-labelledby="security-architecture-heading">
          <div class="verify-card__header">
            <p class="eyebrow">Architecture</p>
          </div>
          <dl class="record-grid">
            <div class="record-grid__row meta-row">
              <dt>Browser</dt>
              <dd><abbr title="HyperText Transfer Protocol Secure">HTTPS</abbr> · no cookies · no analytics</dd>
            </div>
            <div class="record-grid__row meta-row">
              <dt>Static host</dt>
              <dd>Apache · Gandi · Paris · <abbr title="Secure File Transfer Protocol">SFTP</abbr> deployment</dd>
            </div>
            <div class="record-grid__row meta-row">
              <dt>Site files</dt>
              <dd><abbr title="HyperText Markup Language">HTML</abbr> · <abbr title="Cascading Style Sheets">CSS</abbr> · vanilla JS · self-hosted fonts</dd>
            </div>
            <div class="record-grid__row meta-row">
              <dt>Offline cache</dt>
              <dd>Service worker · local cache after first visit</dd>
            </div>
            <div class="record-grid__row meta-row">
              <dt>Trust</dt>
              <dd>Integrity · Verify · Source · Releases</dd>
            </div>
            <div class="record-grid__row meta-row">
              <dt>Archive</dt>
              <dd>Frozen signed releases</dd>
            </div>
          </dl>
        </section>
        <p class="security-architecture-note">Public inspection routes expose the signed manifest, page records, readable source mirrors and archived releases without exposing private infrastructure.</p>
      </section>

      <!-- primary · 03 · assets protected -->
      <section class="security-section" aria-labelledby="security-assets-heading">
        <h2 class="security-section-heading" id="security-assets-heading">2. Assets protected</h2>
        <p>The controls described here protect:</p>
        <ul class="i18n-list"><li>Domain ownership</li><li>DNS integrity</li><li>Hosting account integrity</li><li>Public content integrity</li><li>The signing key used for release authenticity</li></ul>
      </section>

      <!-- primary · 04 · threat model -->
      <section class="security-section" aria-labelledby="security-threat-heading">
        <h2 class="security-section-heading" id="security-threat-heading">3. Threat model</h2>
        <section class="security-subsection" aria-labelledby="security-threat-infra">
          <h3 class="security-subheading" id="security-threat-infra">Infrastructure compromise</h3>
          <ul class="i18n-list"><li>Registrar account takeover</li><li><abbr title="Domain Name System">DNS</abbr> hijack</li><li>Hosting credential compromise</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-threat-content">
          <h3 class="security-subheading" id="security-threat-content">Content tampering</h3>
          <ul class="i18n-list"><li>Post-deployment file modification</li><li>Malicious JavaScript injection</li><li>Silent alteration of static assets</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-threat-admin">
          <h3 class="security-subheading" id="security-threat-admin">Administrative abuse</h3>
          <ul class="i18n-list"><li>Credential stuffing</li><li>Automated vulnerability scanning</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-threat-noise">
          <h3 class="security-subheading" id="security-threat-noise">Commodity internet noise</h3>
          <p>Continuous automated probing for common <abbr title="Content Management System">CMS</abbr> paths, configuration files, or known endpoints. These are treated as persistent background conditions rather than exceptional events.</p>
        </section>
      </section>

      <!-- primary · 05 · controls -->
      <section class="security-section" aria-labelledby="security-controls-heading">
        <h2 class="security-section-heading" id="security-controls-heading">4. Controls</h2>
        <section class="security-subsection" aria-labelledby="security-controls-registrar">
          <h3 class="security-subheading" id="security-controls-registrar">Registrar &amp; <abbr title="Domain Name System">DNS</abbr></h3>
          <ul class="i18n-list"><li><abbr title="Multi-Factor Authentication">MFA</abbr> enabled</li><li>Registrar lock active</li><li><abbr title="Domain Name System Security Extensions">DNSSEC</abbr> enabled and validated</li><li><abbr title="Certificate Authority Authorization">CAA</abbr> records restrict certificate issuance</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-controls-hosting">
          <h3 class="security-subheading" id="security-controls-hosting">Hosting</h3>
          <ul class="i18n-list"><li>Multi-factor authentication enabled</li><li><abbr title="Secure File Transfer Protocol">SFTP</abbr>-only deployment</li><li>No <abbr title="Secure Shell">SSH</abbr> shell exposure</li><li>No scheduled background execution</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-controls-content">
          <h3 class="security-subheading" id="security-controls-content">Public content</h3>
          <ul class="i18n-list"><li>Static architecture reduces server-side attack surface</li><li>Strict <abbr title="Content Security Policy">CSP</abbr> starting from <code>default-src 'none'</code></li><li>No external resource loading</li><li>No dynamic script execution</li></ul>
        </section>
        <section class="security-subsection" aria-labelledby="security-controls-monitoring">
          <h3 class="security-subheading" id="security-controls-monitoring">Monitoring</h3>
          <ul class="i18n-list"><li>Structured log analysis</li><li>Pattern detection and anomaly scoring</li><li>File integrity drift detection against the signed release baseline</li></ul>
        </section>
      </section>

      <!-- primary · 06 · public verification surface -->
      <section class="security-section" aria-labelledby="security-public-verification-heading">
        <h2 class="security-section-heading" id="security-public-verification-heading">5. Public verification surface</h2>
        <p>The site exposes public inspection routes so published content can be checked without private infrastructure access.</p>
        <ul class="i18n-list"><li><a href="/en/integrity/" aria-label="Open the integrity archive for signed releases, public key and manifest"><code>/integrity/</code></a> records signed releases, public key and manifest</li><li><a href="/en/verify/" aria-label="Open the page verification tool for canonical URLs, source mirrors and fingerprints"><code>/verify/</code></a> records one page’s canonical <abbr title="Uniform Resource Locator">URL</abbr>, source mirror and fingerprint</li><li><a href="/en/source/" aria-label="Open readable source mirrors of selected public files"><code>/source/</code></a> publishes readable mirrors of selected public files</li><li><a href="/en/integrity/releases/" aria-label="Open frozen signed release snapshots"><code>/integrity/releases/</code></a> preserves frozen signed snapshots</li></ul>
        <p>These routes support inspection and provenance. They do not remove the need to protect <abbr title="Domain Name System">DNS</abbr>, hosting credentials and the private signing key.</p>
      </section>

      <!-- primary · 07 · residual risk -->
      <section class="security-section" aria-labelledby="security-residual-heading">
        <h2 class="security-section-heading" id="security-residual-heading">6. Residual risk</h2>
        <p>This model protects the public static site. It does not protect against registrar compromise, hosting compromise, client-device compromise or private key compromise.</p>
        <p>This model does not attempt to address:</p>
        <ul class="i18n-list"><li>Physical compromise of hosting infrastructure</li><li>Global <abbr title="Domain Name System">DNS</abbr> root compromise</li><li>Certificate authority (<abbr title="Certificate Authority">CA</abbr>) compromise</li><li>State-level adversaries</li><li>Zero-day browser exploits on client devices</li></ul>
        <p>The main risks remain domain, <abbr title="Domain Name System">DNS</abbr>, hosting and private key compromise.</p>
      </section>

      <!-- primary · 08 · disclosure -->
      <section class="security-section" aria-labelledby="security-disclosure-heading">
        <h2 class="security-section-heading" id="security-disclosure-heading">7. Disclosure</h2>
        <p>Responsible disclosure is welcome. Security contact details and encrypted communication instructions are published at <a href="/.well-known/security.txt" aria-describedby="desc-security-contact"><code>/.well-known/security.txt</code></a>.</p>
        <span class="visually-hidden" id="desc-security-contact">Read the security.txt disclosure policy for this site</span>
      </section>

      <!-- primary · 09 · design principles -->
      <section class="security-section" aria-labelledby="security-design-heading">
        <h2 class="security-section-heading" id="security-design-heading">8. Design principles</h2>
        <ul class="i18n-list"><li>Simplicity over complexity</li><li>Deterministic behaviour over dynamic systems</li><li>Transparency over obscurity</li><li>Verifiable integrity over trust assumptions</li></ul>
      </section>

    </div>
  </div>

</main>


<!-- body · footer -->
<footer class="site-footer" aria-label="Site footer">
  <div class="site-footer__inner">

    <!-- top stratum · identity · nav · language -->
    <div class="site-footer__top">

      <p class="site-footer__identity">
        <span class="year">&copy; <time datetime="2026">2026</time></span>
        <a class="wm" href="/en/" rel="home" aria-describedby="desc-home-footer">Trent Power</a>
        <span class="visually-hidden" id="desc-home-footer">Return to the homepage</span>
      </p>

      <nav class="site-footer__nav" aria-label="Footer">
        <span>Paris, France</span>
        <span class="sep" aria-hidden="true">&middot;</span>
        <a class="site-footer__action" href="/en/privacy/" rel="privacy-policy" aria-describedby="desc-privacy">Privacy</a>
        <span class="visually-hidden" id="desc-privacy">Read how this site avoids analytics, cookies, profiling, tracking, and third-party assets</span>
        <span class="sep" aria-hidden="true">&middot;</span>
        <button type="button" class="site-footer__action"
                data-cite-open aria-haspopup="dialog"
                aria-describedby="desc-cite">Verify</button>
        <span class="visually-hidden" id="desc-cite">Open citation and verification details for this page</span>
      </nav>

      <ul class="site-footer__language" aria-label="Language">
        <li><a href="/en/security/"  aria-describedby="desc-lang-en" lang="en" aria-current="page">English</a> <span class="visually-hidden" id="desc-lang-en">Read this site in English</span></li>
        <li aria-hidden="true"><span class="sep">&middot;</span></li>
        <li><a href="/fr/securite/" aria-describedby="desc-lang-fr" lang="fr">Français</a> <span class="visually-hidden" id="desc-lang-fr">Lire ce site en français</span></li>
      </ul>

    </div>

    <hr class="site-footer__break" aria-hidden="true">

    <!-- bottom stratum · imprint · theme -->
    <div class="site-footer__bottom">

      <dl class="site-footer__imprint is-loading" id="footerImprint" aria-label="Publication integrity">
        <dt>Edition</dt>
        <dd><span data-proof="edition">&mdash;</span></dd>
        <dt>SHA256</dt>
        <dd><a class="sha-link" href="/en/integrity/" aria-describedby="desc-integrity"
               data-proof="sha" title="View this page's entry in the signed integrity manifest">sha256:&mdash;</a> <span class="visually-hidden" id="desc-integrity">Open the public integrity record, including hashes, signatures, and release verification</span></dd>
        <dt>Verified</dt>
        <dd><span class="v--fresh" data-proof="verified">&mdash;</span></dd>
      </dl>

      <p class="site-footer__provenance" lang="fr">Machine-translated from the English original.</p>

      <ul class="site-footer__theme" aria-label="Appearance">
        <li><button type="button" data-theme="light"  aria-pressed="false" aria-describedby="desc-theme-light">Light</button> <span class="visually-hidden" id="desc-theme-light">Switch to the light appearance</span></li>
        <li aria-hidden="true"><span class="sep">&middot;</span></li>
        <li><button type="button" data-theme="system" aria-pressed="true"  aria-describedby="desc-theme-auto">Auto</button> <span class="visually-hidden" id="desc-theme-auto">Match the system appearance setting</span></li>
        <li aria-hidden="true"><span class="sep">&middot;</span></li>
        <li><button type="button" data-theme="dark"   aria-pressed="false" aria-describedby="desc-theme-dark">Dark</button> <span class="visually-hidden" id="desc-theme-dark">Switch to the dark appearance</span></li>
      </ul>

    </div>

  </div>
</footer>
<!-- body · print edition -->
<div class="print-trust-sheet print-only" data-print-sheet="security" hidden aria-hidden="true">
  <header class="print-trust-header">
    <p class="print-trust-kicker">Security &amp; Threat Model</p>
    <p class="print-trust-title">Static, self-managed, verification-led</p>
    <p class="print-trust-lede">The public site is static HTML, CSS and vanilla JavaScript, with strict headers, no runtime server logic, no public database and no third-party scripts.</p>
    <p class="print-trust-meta">Edition 2026-05-19 · trentpower.fr/security/</p>
  </header>

  <figure class="print-trust-diagram" aria-hidden="true">
    <img src="/images/architecture/architecture.svg" alt="" class="print-trust-diagram-image">
  </figure>

  <div class="print-trust-grid">
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">01</span> <span>Architecture</span></p>
      <p>Static HTML, CSS, vanilla JavaScript. Self-managed deployment on Apache (Gandi, Paris). No public database.</p>
    </div>
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">02</span> <span>Security headers</span></p>
      <p><abbr title="Content Security Policy">CSP</abbr> default-deny. <abbr title="HTTP Strict Transport Security">HSTS</abbr>. <abbr title="Cross-Origin Opener Policy">COOP</abbr> / <abbr title="Cross-Origin Embedder Policy">COEP</abbr> / <abbr title="Cross-Origin Resource Policy">CORP</abbr>. Referrer-Policy no-referrer. Locked-down Permissions-Policy.</p>
    </div>
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">03</span> <span>Assets protected</span></p>
      <p>Identity. Published content. Public verification files. Source integrity.</p>
    </div>
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">04</span> <span>Threat model</span></p>
      <p>Content injection. Hosting credential compromise. Spoofed identity. Stale or tampered files.</p>
    </div>
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">05</span> <span>Controls</span></p>
      <p>No third-party scripts. No public forms. Signed integrity manifest. Restricted file exposure. Service-worker-controlled cache.</p>
    </div>
    <div class="print-trust-card">
      <p class="print-trust-label"><span class="num">06</span> <span>Residual risk</span></p>
      <p>Hosting and registrar risk remain. Static-site exposure is reduced, not eliminated. Responsible disclosure route is published.</p>
    </div>
  </div>

  <footer class="print-trust-footer">
    <div class="print-trust-footer-text">
      <p class="print-proof">Private · Static · Signed · No tracking</p>
      <p>Edition 2026-05-19 · trentpower.fr/security/</p>
    </div>
    <div class="print-qr-block" aria-hidden="true">
      <img class="print-qr-image" src="/images/qr/qr-security.svg" width="144" height="144" loading="lazy" decoding="async" alt="">
      <p class="print-qr-url">trentpower.fr/security/</p>
    </div>
  </footer>
</div>

<!-- body · behaviour -->
<script src="/app.js?v=2026-05-19.054a4cde" integrity="sha384-0/d1GAleQvM4g3v1B1J2lZMV/tet5ROHlQ2MStFHV6elnL4HXZrGmuIjSlmZ02q4" defer></script>
<script src="/app-enhance.js?v=2026-05-19.054a4cde" integrity="sha384-nyFedKd06EN9LqTUpl41Ln9bJvrfivawSLNQXsWeHNV0GoZBdeVoZByRtUkUbQVR" defer></script>
<script src="/verify/verification-data.2026-05-19.f67fa860.js" integrity="sha384-/adA47A4jqcxm/Z29/ThNoY+wB/FcA3MU6cCOy6u11gsICzk4bcwwujyx+YXKvLG" defer></script>
<script src="/cite.js?v=2026-05-19.054a4cde" integrity="sha384-/UcbEl8xuRxvlwOOzFG3xYoqbPIzNPhv8o5HsASzLoHTo7cCVbGad1JqWH+GxGdl" defer></script>

</body>
</html>
