control·alt·delete

How this site is built (and why it has no server)

· 2 min

A blog about breaking into things has a credibility problem if it is, itself, a thing waiting to be broken. So this one has no server.

What you're reading was rendered to flat HTML on a machine you can't reach, uploaded to a CDN, and served from the edge. There is no application behind it, no database, no admin panel, no login. The build host has no public surface at all — it builds and uploads, and that's the entire interaction.

The pipeline

Posts are markdown files in a git repository. A small Rust program reads them, validates the frontmatter into strongly-typed values, renders the markdown to HTML at build time, and writes a directory of static files:

let library = PostLibrary::load(&config, today())?;
for post in &library.posts {
    let html = markdown::render(&post.body_md, &post.source_file)?;
    write_page(&config, post, &html)?;
}

That output is uploaded to Cloudflare Pages. Every page you see — including the one rendered inside a window on the desktop — is a real, crawlable URL that exists on disk before anyone visits it.

Markdown is rendered once, at build time

There is no client-side markdown renderer. That matters for two reasons. First, a runtime renderer that does element.innerHTML = render(text) is exactly the surface a strict Content-Security-Policy exists to neutralize. Second, doing the work once, ahead of time, means the browser receives bytes that are ready to paint.

Raw HTML inside a post is escaped, not executed — if I paste a payload into a writeup, you see the payload, you don't run it:

<img src=x onerror=alert(document.domain)>

…renders as that literal text, because the build treats every HTML event in the markdown stream as text to escape.

The policy that backs it up

The whole thing is pinned down by a Content-Security-Policy that allows scripts only from the site's own origin and forbids eval:

default-src 'none'; script-src 'self'; style-src 'self'; img-src 'self' data:;
base-uri 'none'; object-src 'none'; frame-ancestors 'none'

PATCHContent-Security-Policy: default-src 'none'; script-src 'self'

With script-src 'self' and no unsafe-inline / unsafe-eval, even a mistake in the escaping above can't escalate into running script. The desktop UI you're looking at is the only first-party JavaScript on the site, and it's vendored, not pulled from a CDN.

What's next

  • writeups of bypasses, with the patch that closes them
  • proof-of-concept downloads, hashed and integrity-checked
  • whatever I'm taking apart this week

If you want the firehose, there's an Atom feed.

Related

Discuss on HN lobste.rs permalink