Estivador
Website Security
How the Estivador website is designed to minimise its attack surface and protect visitor privacy.
The Estivador website is intentionally designed with a small attack surface and limited third-party dependencies.
Current design
- Static pages generated with Hugo
- No website database or content management system
- No server-side application used to render public pages
- Minimal JavaScript
- Google Analytics loaded only after consent
- No advertising or profiling integrations
- Contact submissions processed through Formcarry
- Contact enquiry retention limited to 24 months after the last meaningful communication
- Semantic HTML, accessible controls, and server-rendered content
The source repository and deployment configuration should be reviewed and updated as part of the normal maintenance process. Security headers must be configured at the hosting layer and verified against the live deployment.
Security concerns can be reported according to the Responsible Disclosure Policy.