This is my Bullet Proof Website

For years I’ve wanted to build a completely bulletproof website that runs on just a file system but still behaves like a modern site with some basic functionality. And this weekend I finally did. And yes, it literally just took me a day or two to figure out the tech and move my very old personal site… here!

This website is hosted on S3 behind a Cloudfront distribution. If you don’t know what that means, that’s okay, but let me walk you through how most websites are built today.

Most personal and small business websites are running on huge stacks of code and data systems (with more code) that you don’t even know is there. It doesn’t matter if you’re running Wix, Wordpress, your own React/node js stack, or old school PHP… you need a big stack of stuff to make it work.

We don’t really think about it but we have code on top of code on top of code. There’s code to retrieve data from a database, code to transform that data into something that the code on the front end can make human readable. There are services and servers along the way, all just to display a picture of a cat.

This is what keeps DevSecOps teams busy all the time – updating systems, patching code, looking for vulnerabilities, making sure all the moving pieces keep moving together properly… From a security standpoint we call it the “attack surface” and when you have a lot of different tools, you have a lot of different ways the bad guys can break in or just for something to go wrong.

What I finally did was sit down and separate out all that data backend and make a website that just has four parts

• Presentation: That’s your web browser
• Client Side Code: The only code I’m running is native JavaScript so you can search my articles and retrieve them from the file store
• Web Host: This is part of the bullet proof bit – traditionally you have a single web service someplace that can fail, but I’m using CloudFront which caches little copies of my website all over the world. It copies those from what is, to be honest, a second web host on the S3 file storage which is how I do one clever trick for my articles – I’ll write up a how-to later because it’s a really geeky trick.
• File store: S3 is basically just a really big file system, and it’s super resilliant. AWS says that you should for all practical purposes never lose a file on the S3 bucket even over 100 years

There’s no server-side code, and there’s no database. The searching and dynamic pages like this one are because I rendered my whole database as individual JSON files – it’s like a static API. When I want to post a new article, I use my desktop app to update the index file and post the new article (or update the JSON for an old article).

So while my site appears to have around 500 static pages, I really have

• One Index Page
• One Article Page (that rewrites JSON files to this pretty page)
• One “manifest” json page that tells the side navigation what all the articles are
• Hundreds of individual articles in JSON
• Some static images and css files that I’ll never really touch again.

I don’t have to update my servers, because I don’t HAVE a server. I don’t have to manage my database, my log files, my storage… I don’t have to worry about SQL injection or other hacker attempts because there really isn’t anything to hack.

It’s just a bunch of files on the internet with a really lightweight presentation layer. So it’s not really that I built a bulletproof site, it’s that there isn’t anything to shoot!