Erik Walther Portfolio Erik Walther

A Privacy Friendly Portfolio

Updated: an hour ago

In an era where "privacy" often means "we collect less data but still track you," building a truly private website requires more than just disabling Google Analytics. It demands architectural sovereignty.

My portfolio, erikwalther.eu, isn't just a showcase of my work in full-stack development and security; it is a living proof-of-concept for a privacy-respecting web stack. From the domain registrar to the physical server rack, every component was chosen to minimize data leakage and maximize user control.

Here is how I built a Django-powered portfolio that respects your data, hosted entirely within the EU, with no tracking cookies and no third-party analytics.

The Foundation: Domain and Hosting Sovereignty

The first step in digital privacy is controlling the metadata. Most people register domains with registrars that log every interaction and sell that data to data brokers.

Domain Registration: Njalla

I registered erikwalther.eu with Njalla. Njalla is not a traditional registrar; they act as a proxy, purchasing the domain on your behalf and holding it in their name while you control it.

Why it matters: My name and address of the are never publicly exposed in the WHOIS database. Njalla handles the legal ownership, shielding my identity from scrapers and spammers.
Jurisdiction: Based in Nevis, Njalla operates outside the immediate reach of EU GDPR data requests for the domain itself, adding a layer of legal obfuscation that protects my identity.

Physical Hosting: Hetzner (Falkenstein, Germany)

While the domain is shielded, the data lives on a VPS. I chose Hetzner Online in Falkenstein, Germany for the following reasons:

  • Data Residency: All data is processed and stored strictly within the European Union. This eliminates the risk of US-based surveillance laws (like the CLOUD Act) forcing a US provider to hand over logs.
  • Physical Security: Falkenstein is a former military bunker, repurposed into a Tier III data center. It offers physical isolation that cloud giants like AWS or Azure simply cannot match for a single VPS.
  • No "Big Tech" Lock-in: Unlike AWS or Google Cloud, Hetzner doesn't scan your traffic for ad targeting or feed your data into their AI training sets. You get raw compute power, nothing more.

The Stack: Django, Gunicorn, and Caddy

The application stack is designed for transparency and minimalism.

Django: The Framework of Control

I built the site using Django, a framework that gives me granular control over every byte of data processed. This means:

  • No Hidden Calls: Unlike WordPress plugins that phone home to update centers or track user behavior, Django is silent. It only sends data when I explicitly tell it to.
  • Secure by Default: The settings.py configuration enforces HTTPS, HSTS preloading, and secure cookies. The SECURE_HSTS_PRELOAD = True setting ensures that once a user visits, their browser never attempts an insecure connection again, eliminating the risk of downgrade attacks.

Gunicorn & Caddy: The Silent Workers

The application is served by Gunicorn (Python WSGI server) behind Caddy (reverse proxy).

Gunicorn is configured with max_requests and max_requests_jitter to recycle workers, preventing memory leaks and ensuring consistent performance without bloating the server. Caddy automatically manages TLS certificates via ACME. It handles compression (gzip, zstd) and serves static files with immutable caching headers. Crucially, Caddy logs are configured to rotate and delete automatically after 30 days, aligning with the privacy policy.

The Privacy Policy: Transparency as a Feature

A privacy policy shouldn't be a wall of legalese designed to confuse. Mine is a declaration of intent.

  • Zero Analytics: I do not use Google Analytics, Matomo, or any other tracking tool. I don't know how many people visit, where they are from, or what they click. I only know that the server is running.
  • Minimal Cookies: The only cookie set is csrftoken, which is technically necessary to prevent Cross-Site Request Forgery attacks. It contains no personal data and expires after one year.
  • Log Retention: Server logs (IP addresses, User-Agents) are kept for 30 days for security debugging and then permanently deleted.
  • User Rights: The policy explicitly outlines GDPR rights: access, erasure, and objection. If you want your IP removed from the logs, you can request it, and I will comply (subject to legal retention requirements).

Technical Implementation: How Privacy is Enforced

Privacy isn't just a policy; it's code. Here’s how the stack enforces it:

Security Headers

The Caddyfile and settings.py work in tandem to send strict security headers:

X-Content-Type-Options: nosniff: Prevents MIME-sniffing attacks.
X-Frame-Options: DENY: Prevents clickjacking.
Referrer-Policy: same-origin: Ensures that when you click a link to another site, your referrer isn't leaked.
Permissions-Policy: Disables geolocation, microphone, and camera access for the site.
Content-Security-Policy (CSP): Restricts resource loading to self and trusted sources, blocking any malicious scripts.

The Onion Service

For users requiring maximum anonymity, this service is also accessible via a Tor Hidden Service (v3).

Address: hcb724zual6bxrg2jncfask2kwxlq3pnnjd2s2iq2vspwedz5b7sjqid.onion

Simply open this address in the Tor Browser. The clearnet site includes an Onion-Location HTTP header, which prompts Tor Browser users to seamlessly switch to the .onion version for enhanced privacy.

Security Architecture: Traffic between your client and the server is encrypted end-to-end and routed entirely within the Tor network. This ensures:

  • ISP & Provider Blindness: Neither your ISP nor the hosting provider can inspect the content of your communication or identify your IP address.
  • Network Containment: Because the traffic never exits the Tor network to reach a clearnet exit node, it is immune to exit node eavesdropping, providing a higher security baseline than standard Tor browsing.

The Result: A Site That Trusts You

The result is a portfolio that feels different. It loads instantly. It doesn't ask for permission to track you. It doesn't flash pop-ups about cookies. It just works.

By combining Njalla for domain privacy, Hetzner for data sovereignty, Django for application control, Caddy for secure delivery and a .onion domain for optimal privacy, I've created a digital space that respects the user's right to privacy.

In a world of surveillance capitalism, this is a radical act: building a website that doesn't need to know who you are to serve you.