// Discussing the Cloud with Chris GitHub Architecture and GitHub setup

Karl Cooke (Implementation Specialist at Action Point Technology Group, blogger at irishtechie.com) turns the tables on Chris Reddington, interviewing him about the architecture and GitHub workflow behind CloudWithChris.com.

Platform Architecture

The site is a three-layer stack:

1. Azure DNS — public DNS zone with an apex domain redirect to www, plus separate subdomains for preview, staging, and the podcast feed (podcasts.cloudwithchris.com)
2. Azure CDN — global edge caching with a rules engine for HTTP→HTTPS redirects and security header injection
3. Azure Storage — static website hosting for all HTML, CSS, JS, and media assets; chosen for its low cost, simplicity, and natural fit with static content

Security Hardening

A significant portion of the session covers hardening the CDN rules engine to score an A / A+ on securityheaders.com and Mozilla Observatory:

• HSTS (Strict-Transport-Security) to enforce HTTPS
• Content Security Policy (CSP) — an allowlist of trusted sources for scripts, media, and embeds; too long for the CDN’s 128-character header limit, so embedded directly in the Hugo HTML layout instead
• Permissions Policy — explicitly denying camera, microphone, geolocation, and accelerometer access
• X-Frame-Options and X-Content-Type-Options for clickjacking and MIME-sniffing protection

Hugo & GitHub Actions Deployment Workflow

Chris demos the end-to-end content publishing flow using GitHub Codespaces (browser-based dev environment) and Git branching:

1. Create a feature branch from dev in Codespaces
2. Edit the Markdown front matter (e.g. removing the upcoming: true flag to publish content)
3. Push the branch → GitHub Actions triggers a preview build on pull request
4. Merge to dev → staging build deploys and previews on the staging CDN endpoint
5. Merge to master → production build deploys to the live site

The CDN cache purge timing trade-off (Microsoft CDN: ~10 minutes vs. Verizon/Akamai faster options) is also discussed, with Chris explaining why the rules engine flexibility outweighs the purge speed difference for his workload.