Building in Public
Every decision. Every lesson. Every milestone. Completely transparent.
Architecture & Stack
Pure HTML, CSS, and JavaScript. No frameworks. Hosted on Cloudflare's global edge.
System Status
Workers Deep Dive
What each worker does, how data flows, and what privacy guarantees we make. Click any card for the full story.
ybb-feedback
Community engagement — votes, reads, listing clicks. IP hashed (SHA-256), zero PII stored.
▶ Click for detailsybb-live-data
19 live metrics refreshed every 5 minutes — BTC price, hashrate, block height, S&P 500, gold.
▶ Click for detailsybb-search
Hybrid search — Pagefind (client-side WASM) + Vectorize semantic AI (768-dim, 1,267 vectors).
▶ Click for detailsybb-mempool-cache
Caching proxy for mempool.space — block data, fees, mining stats. 60s–300s TTL tiers.
▶ Click for detailsybb-live-counter
Anonymous visitor counter — random sessionId in sessionStorage. No cookies, no fingerprinting.
▶ Click for detailsybb-admin
Internal operations dashboard. Password-protected, HMAC session auth. Not publicly accessible.
▶ Click for detailsContent & Community
What we've built so far — and what the community is doing with it.
Content Inventory
Live Bitcoin Snapshot
Build & Deploy Workflow
Every change follows the same pipeline. No shortcuts, no exceptions. Click any step for details.
Tools & Stack
Perplexity (deep research & content auditing) · Claude Code (AI pair programming) · Git / GitHub · Cloudflare Pages · Wrangler CLI · Pure HTML / CSS / JS — no frameworks, no build step
Claude Code powers 95%+ of the workflow — architecture, code, shipping, testing, and every line of HTML/CSS/JS on this site. Perplexity contributes deep research for education articles and supplementary deep dives. The founder directs, reviews, and approves every output. Two AI tools, one human gatekeeper.
“Every change goes through preview before production. Every PR is reviewed. Nothing ships without verification.”
Security & Privacy
What we do to protect you — and what we don't collect.
What We Don't Collect
- No user accounts, no passwords, no email addresses stored
- No cookies on the public site (only the admin dashboard uses authenticated cookies)
- No tracking pixels, no third-party analytics, no Google anything
- No personal data in any form — we literally can't identify you
- IP addresses are SHA-256 hashed for rate limiting, then discarded
Security Headers
- Content Security Policy (CSP) — only our own scripts and styles can run. No inline scripts. No eval.
- HSTS Preload — forces HTTPS on every connection, with 1-year max-age and subdomain coverage
- X-Frame-Options: DENY — prevents clickjacking by blocking all iframe embedding
- Permissions-Policy — 14 unused browser APIs explicitly blocked (camera, mic, geolocation, payment, USB, Bluetooth, serial, MIDI, sensors, screen capture)
- X-Content-Type-Options: nosniff — prevents MIME-type confusion attacks
- Referrer-Policy: strict-origin-when-cross-origin — limits referrer data sent to external sites
Code Security
- Zero external JS/CSS — all fonts, scripts, and stylesheets are self-hosted. No CDN tampering vector.
- DOM-based rendering — all dynamic content uses
document.createElement(), neverinnerHTML. XSS-safe by design. - Worker authentication — admin dashboard uses HMAC cookie auth with
Secure; HttpOnly; SameSite=Strictflags - Rate limiting — all public API endpoints throttled (60 req/min per IP). Brute-force protection on admin login via KV counters.
- No secrets in code — API keys stored in environment variables, never committed. Automated pre-commit scanner blocks leaks.
Responsible Disclosure
Found a vulnerability? We want to hear from you.
- Email: [email protected]
- Machine-readable policy: security.txt
- We respond within 48 hours
“The best security is the kind you can verify yourself. Every header, every policy, every line of code — it's all public. We have nothing to hide because we collect nothing to hide.”
Frequently Asked Questions
The questions people actually ask about how we build this.
How is YouBuyBitcoin.com built?
Pure HTML, CSS, and JavaScript — no frameworks, no build step. Hosted on Cloudflare Pages with 6 serverless Workers. Claude Code handles 95%+ of the development workflow. Perplexity contributes deep research for education articles. Every change goes through preview before production.
Does YouBuyBitcoin track users or collect personal data?
No. Zero cookies on the public site, no tracking pixels, no third-party analytics, no Google anything. IP addresses are SHA-256 hashed for rate limiting and then discarded. We literally cannot identify you.
How is YouBuyBitcoin funded?
Through transparent affiliate partnerships with Bitcoin services listed in The Orange Pages. Every affiliate relationship is disclosed. We recommend services based on quality, not commission rates. 21% of net profits are pledged on-chain to Bitcoin education organizations.
Is all the content really free?
Yes. 21 core education sections, 8 supplementary deep dives, 79 glossary terms, 299 catalogued listings, live Bitcoin data — all free, no paywalls, no accounts needed. All educational content is licensed under CC BY-SA 4.0, meaning anyone can use, translate, remix, and share it.
How can I report a security vulnerability?
Email [email protected] or visit our machine-readable security policy at security.txt. We respond within 48 hours.
Ship Log
What changed recently. Built in public — every update logged.
For nerds, but not only — if you care about what's under the hood, you're in the right place.
Newest first — scroll down to see where it all began. Click any entry for details.
Phase 1 Foundation 10 milestones
Phase 2 Growth 6 milestones
Phase 3 Scale 5 milestones
Phase 4 Maturity 4 milestones
Since 2017. Forever.
This roadmap reflects the founder's personal vision and direction. It is not a promise, guarantee, or legally binding commitment. Priorities may shift. Timelines are intentionally omitted. What you see here is barely 12% of the bigger picture.