Building glyph.sh: Static Site on AWS with Security-First Architecture

November 1, 2025

Hugo static site deployed on S3 and CloudFront with Lambda@Edge, WAF, CSP headers, and automated deployment pipeline

What glyph.sh Is

A personal technical site — portfolio, blog, browser-based tools, and script library. Over 300 pages and 200 static files, including 14 browser-based tools that run entirely client-side. The infrastructure behind it is the real showcase: a security-first static architecture on AWS that costs roughly $15/month.

Architecture

Static Site Generator: Hugo with a custom theme (glyphsh). Fast builds, no server-side runtime, minimal attack surface.

Hosting Stack:

  • S3 - origin bucket for all static assets
  • CloudFront - CDN with edge caching worldwide
  • Lambda@Edge — injects security headers on every response (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy)
  • WAF — bot protection and rate limiting at the edge
  • Route53 — DNS management
  • ACM — SSL certificates

Deployment: A single bash script runs hugo build, syncs to S3, and fires a CloudFront invalidation. One command, full deploy.

Security Architecture

Security decisions were made at the infrastructure level, not bolted on after the fact.

Content Security Policy: Strict CSP enforced via Lambda@Edge. No inline scripts allowed anywhere on the site. All 14 browser-based tools use a data-action event delegation pattern instead of inline event handlers. This was a deliberate architectural constraint that required rewriting every interactive tool to be CSP-compliant.

Lambda@Edge Headers: Every response from CloudFront passes through a Lambda@Edge function that sets:

  • Content-Security-Policy — blocks inline scripts, restricts resource origins
  • Strict-Transport-Security — enforces HTTPS with long max-age
  • X-Frame-Options — prevents clickjacking
  • X-Content-Type-Options — prevents MIME sniffing
  • Referrer-Policy — controls referrer leakage

WAF Rules: AWS WAF sits in front of CloudFront with rate limiting and bot protection rules. Automated scanners and abusive crawlers get blocked before they touch the origin.

Crawler Policy: robots.txt allows only Claude and ChatGPT crawlers. Everything else is disallowed. The site exists for humans and useful AI assistants, not for scraping farms.

Security Audit: A security audit script is included in the repo for verifying header configuration and CSP compliance.

Privacy by Design

Bootstrap, FontAwesome, and all fonts are self-hosted. No Google Fonts, no font CDNs, no third-party JavaScript libraries loaded from external origins. Google Analytics is the one external dependency - used for understanding traffic patterns.

This was a deliberate trade-off: self-hosting assets means slightly more storage and build complexity, but eliminates supply chain risk from CDN-hosted libraries and reduces third-party requests to a minimum.

Performance

Multiple optimization rounds brought meaningful improvements:

  • Critical CSS extraction — above-the-fold styles load inline (CSP-whitelisted via hash), remainder deferred
  • Font preloading and subsetting
  • Deferred script loading for non-critical JavaScript
  • Aggressive CloudFront caching with targeted invalidation on deploy

Net result: approximately 2.5 seconds shaved off load times across the optimization work.

Key Decisions and Why

Hugo over a CMS: No database, no server runtime, no patches to apply. A static site generator produces flat files that S3 serves without compute. The attack surface is effectively zero.

Lambda@Edge over CloudFront Functions: Lambda@Edge runs in more regions and supports the full Node.js runtime. Security headers need to be on every response, and Lambda@Edge handles viewer-response triggers reliably.

Self-hosted assets over CDNs: CDN-hosted libraries are a supply chain risk. Self-hosting Bootstrap, FontAwesome, and fonts eliminates that. Google Analytics is the exception - the traffic data is worth the trade-off.

Bash deployment over CI/CD pipelines: The site has one maintainer. A bash script that builds and deploys in seconds is simpler and faster than configuring GitHub Actions or CodePipeline for a personal project. The complexity isn’t warranted.

CSP compliance from the start: Retrofitting CSP onto a site with inline scripts is painful. Building with the constraint from the beginning meant every tool and page was designed to work without inline JavaScript. The data-action delegation pattern became the standard approach across all interactive tools.

Cost

The full stack runs for roughly $15/month on AWS. WAF is the biggest line item at ~$6. DynamoDB provisioned capacity for GlyphMemory adds ~$3.50. KMS keys, Route53, and S3 storage fill in the rest. Lambda, API Gateway, and CloudFront all stay within free tier at this traffic level. Security monitoring (GuardDuty, Security Hub, CloudTrail) adds a few dollars once free trial periods end. No EC2 instances, no compute bills - just serverless and static files at the edge.

Skills Demonstrated: AWS (S3, CloudFront, Lambda@Edge, WAF, Route53, ACM), Hugo, Content Security Policy, Infrastructure Automation, Performance Optimization, Privacy Engineering