Colophon

→One-page landing with distinct sections for skills, experience, services, projects, and contact — anchor-based navigation.
→Client-side track toggle (cookie `track`): a single hero component, skills and services adapt to Salesforce or IT Ops profile.
→Dedicated pages for About, Certifications, and Blog — accessible via the navbar, not duplicated in the landing.
→Server Components by default: only interactive components (hero, theme toggle, contact form) are marked `use client`.
→Supabase data fetched server-side with Redis cache (stale-while-revalidate) — no direct client queries.
→MDX Blog: articles written as `.mdx` files in `content/blog/posts/{locale}/` — statically rendered at build time, no database required.

Caching strategy

→Upstash Redis stores Supabase query responses (projects, certifications, about) with a 5-minute TTL.
→stale-while-revalidate: if data is cached, it's returned immediately while an async revalidation runs in the background.
→Manual invalidation: the `POST /api/cache/invalidate` endpoint (protected by secret) allows purging cache after data updates.
→RSS feed: `Cache-Control: public, max-age=3600, stale-while-revalidate=86400` — 1h CDN cache, revalidated every 24h.

Security

→HTTP headers in `next.config.mjs`: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (`same-origin`), Cross-Origin-Resource-Policy (`same-origin`). Framework fingerprinting suppressed via `poweredByHeader: false`.
→Row Level Security (RLS) enabled on all Supabase tables. `project_assets` restricted to published-project assets only — draft assets are not exposed via the anon key.
→Rate-limiting via Upstash Redis (sliding window) on sensitive endpoints: contact (5 req/10 min), testimonials (3 req/24h), cache invalidation (10 req/min), health check (30 req/min), CSP reports (20 req/min), admin panel (10 req/5 min — brute-force protection). When Redis is unavailable, the limiter fails closed in production.
→Honeypot fields on contact and testimonial forms — bots filling hidden fields receive a silent 200 response.
→Origin validation: API requests from unknown origins are rejected in production.
→Debug routes disabled in production: `/api/redis-test` returns 404 outside of development mode.
→CORS restricted: `/api/health` scoped to the site origin only — monitoring tools call server-to-server, no browser CORS needed.
→security.txt at `/.well-known/security.txt` (RFC 9116) — responsible disclosure contact.
→No secrets in `NEXT_PUBLIC_*` — all sensitive keys (service role, Redis token, admin credentials) remain strictly server-side.

Open source

View source code View live site

← Back to home

Colophon

How this site is built — stack, architecture, caching, and security.

Tech stack

Frontend

Next.js

React framework (App Router, SSR, SSG, ISR)

React

UI library — Server & Client Components

TypeScript

End-to-end static typing

Tailwind CSS

Utility-first CSS — dark mode via class

next-themes

Dark/light toggle with persistence

i18n

next-intl

EN/FR internationalisation (App Router, middleware)

Blog

@next/mdx

Next.js MDX rendering

gray-matter

YAML frontmatter parsing

rehype / remark

HTML + Markdown AST transformation

shiki

Server-side syntax highlighting

Backend

Supabase

Hosted PostgreSQL — projects, certifications, contact, about. RLS enabled on all tables.

Upstash Redis

Stale-while-revalidate cache + rate-limiting on write and sensitive endpoints (contact, testimonials, cache invalidation, admin, CSP reports, health)

Formspree

Email routing fallback for the contact form

Deployment & Observability

Vercel

Hosting (Hobby plan) — global CDN, automatic HTTPS, preview deployments

Vercel Analytics

Core Web Vitals metrics (production only)

Vercel Speed Insights

Production performance analysis

Architecture decisions

→One-page landing with distinct sections for skills, experience, services, projects, and contact — anchor-based navigation.
→Client-side track toggle (cookie `track`): a single hero component, skills and services adapt to Salesforce or IT Ops profile.
→Dedicated pages for About, Certifications, and Blog — accessible via the navbar, not duplicated in the landing.
→Server Components by default: only interactive components (hero, theme toggle, contact form) are marked `use client`.
→Supabase data fetched server-side with Redis cache (stale-while-revalidate) — no direct client queries.
→MDX Blog: articles written as `.mdx` files in `content/blog/posts/{locale}/` — statically rendered at build time, no database required.

Caching strategy

→Upstash Redis stores Supabase query responses (projects, certifications, about) with a 5-minute TTL.
→stale-while-revalidate: if data is cached, it's returned immediately while an async revalidation runs in the background.
→Manual invalidation: the `POST /api/cache/invalidate` endpoint (protected by secret) allows purging cache after data updates.
→RSS feed: `Cache-Control: public, max-age=3600, stale-while-revalidate=86400` — 1h CDN cache, revalidated every 24h.

Security

→HTTP headers in `next.config.mjs`: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy (`same-origin`), Cross-Origin-Resource-Policy (`same-origin`). Framework fingerprinting suppressed via `poweredByHeader: false`.
→Row Level Security (RLS) enabled on all Supabase tables. `project_assets` restricted to published-project assets only — draft assets are not exposed via the anon key.
→Rate-limiting via Upstash Redis (sliding window) on sensitive endpoints: contact (5 req/10 min), testimonials (3 req/24h), cache invalidation (10 req/min), health check (30 req/min), CSP reports (20 req/min), admin panel (10 req/5 min — brute-force protection). When Redis is unavailable, the limiter fails closed in production.
→Honeypot fields on contact and testimonial forms — bots filling hidden fields receive a silent 200 response.
→Origin validation: API requests from unknown origins are rejected in production.
→Debug routes disabled in production: `/api/redis-test` returns 404 outside of development mode.
→CORS restricted: `/api/health` scoped to the site origin only — monitoring tools call server-to-server, no browser CORS needed.
→security.txt at `/.well-known/security.txt` (RFC 9116) — responsible disclosure contact.
→No secrets in `NEXT_PUBLIC_*` — all sensitive keys (service role, Redis token, admin credentials) remain strictly server-side.