Josh Sisto builds secure software, automation, and self-hosted AI.

Cybersecurity-minded full-stack developer. This page is a live demo of that work — a gated local-LLM chat, real-time visitor-recon receipts, browser-side PGP, and published cryptographic identity.

Live demo: browser signal check → PHP gate → streamed AI.

The human check and chat run on JavaScript. With it off, reach Josh through the published identity links below — security.txt lists his contact address.

Solve the check below to reveal it.

Built like a portfolio piece

What this page is quietly flexing

Streaming AI, fenced in

A same-origin PHP proxy gates every request, rate-limits abuse, clamps history, and streams tokens without exposing the LAN model.

Recon with receipts

IP, VPN flags, user agent, TLS, timezone, screen, and privacy headers are surfaced transparently instead of being hidden in logs.

Crypto-native contact

The page publishes identity material and encrypts sensitive messages to Josh's PGP key in the browser.

Operator habits

The public gag is backed by documented nginx routing, runbooks, challenge logic, and defensive defaults.

Don't trust — verify

Security receipts for this domain

Every line here is observable from the open internet — run the commands and check for yourself.

DNSSEC, validating

Signed with algorithm 13 (ECDSA P-256); public resolvers return the Authenticated-Data flag.

dig +dnssec joshsisto.com

TLS 1.2 / 1.3 only

TLS 1.0/1.1 refused, X25519 forward secrecy, HSTS for two years including subdomains.

nmap --script ssl-enum-ciphers -p443 joshsisto.com

Locked-down headers

CSP default-src 'none', nosniff, SAMEORIGIN, and a denied Permissions-Policy.

curl -sI https://joshsisto.com

Mail + CA hardening

SPF and DMARC (p=quarantine) published, CAA restricts issuers, mail on ProtonMail.

dig TXT _dmarc.joshsisto.com +short

Signed identity

A PGP-clear-signed security.txt and published SSH keys verify my signed files and commits.

ssh-keygen -Y verify -f allowed_signers

No inline scripts

This page runs zero inline JavaScript — its CSP script-src has no 'unsafe-inline'.

curl -sI https://joshsisto.com | grep -i content-security

Live tool — try it on your own domain

Audit a domain's security posture

Type any public domain and I'll run a read-only external audit — DNSSEC, SPF/DMARC/CAA, TLS version and certificate, and HTTP security headers — then grade it. The scanner is deliberately hardened against SSRF: it refuses IP literals, internal names, and any domain that resolves to a private or reserved address.

Live tool — a real shell, fully sandboxed

Boot a throwaway Linux box

Click and you'll drop into a real, interactive Linux shell — a fresh container that self-destructs the moment you leave. It has no network (by design), runs unprivileged on an isolated throwaway VM, and is capped on CPU, memory, processes, and time. Break it, wipe it, it won't care — and nothing you do here touches Josh's systems.

Opens an in-page terminal. Pass the human check above first. Sessions run ~10 minutes and are limited — be kind to the next visitor.

Selected work

Public projects

sisto.xyz

An identity & crypto playground — keys, signatures, and web-native crypto experiments.

joshsisto.com — this page

The site you're reading: a gated local-LLM proxy, live visitor-recon receipts, browser fingerprinting, and in-browser PGP — built, deployed, and self-hosted end to end. More projects are in the works; email for an early look.

Verify it's really me

Don't take a chatbot's word for it — here's my published cryptographic identity.

Send an encrypted message

Encrypted in your browser with my PGP key — the plaintext never leaves this page. Send the ciphertext straight to me (my server relays it without ever being able to read it), or copy it into your own email.

Public-key crypto, hands-on

Verify my signature, then learn how it works by doing it — keys are generated and used entirely in your browser. Nothing is uploaded.

A keypair is a public key you hand out and a private key you guard. The public key locks (encrypts) and checks signatures ; the private key unlocks (decrypts) and signs . Try each piece below.

1 My key & fingerprint

The very key the encrypt box above uses. A fingerprint is a short hash of a public key — compare it across sources (this page, my pgp.txt , a keyserver) to be sure a key is really mine.

2 Verify a signed message

Paste a PGP clear-signed message — if it checks out, the signer's private key made it and not one byte changed. Hit the button for a statement I signed with my key (proof it's really me), or verify one you make in steps 3–4.

Use a different signer's public key

3 Make your own keypair

Generated in your browser — nothing leaves this page. Guard the private key and its passphrase; the public key is yours to share.

4 Sign & verify with your key

Sign with your private key; anyone verifies with your public key. (Generate a keypair in step 3 first.)

5 Encrypt & decrypt (round-trip)

Encrypt to your public key, then decrypt with your private key + passphrase. This is exactly what the “Send an encrypted message” box does with my key — only the private key can open it.