Skip to content
Documentation
Architecture
Design Principles

Design Principles

netbobr is built around a small set of non-negotiable design principles. Every feature, dependency decision, and deployment choice traces back to one or more of these.

Privacy-first

netbobr collects zero user data. There are no analytics scripts inside the application - the only analytics in the project are Cloudflare Web Analytics on the documentation blog, which is a separate site. All firewall rule analysis runs entirely in the browser. There is no localStorage, sessionStorage, or cookie usage. Nothing is stored anywhere unless the user explicitly triggers an export to a file.

Ephemeral sessions

All application state lives in JavaScript memory. Closing the browser tab erases everything - there is no background persistence, no auto-save, and no recovery prompt. Saving and loading data is always explicit file I/O initiated by the user through the export and import controls.

Vanilla JavaScript

netbobr uses no frameworks. There is no React, no Vue, no Svelte, no build step, and no bundler. The application is approximately 14,000 lines of code spread across 22 source files, all written as ES modules that the browser loads directly via <script type="module">. This eliminates supply-chain risk from transpilers and bundlers and keeps the dependency tree at zero runtime packages.

Single-page application

The entire application is a single index.html file with embedded CSS and ES module imports. There is no server-side rendering, no routing library, and no page transitions. Tab switching within the app is handled by showing and hiding DOM elements.

Offline-capable

After the initial page load, netbobr works without network connectivity. All compliance rule logic, the port/service database, and the risk scoring engine are bundled in the source files that the browser has already fetched. No API calls are made during analysis.

Security hardened

The deployment enforces a strict set of HTTP security headers through Azure Static Web Apps configuration:

  • Content-Security-Policy - restricts script sources, style sources, and frame ancestors.
  • Cross-Origin-Opener-Policy - isolates the browsing context.
  • Cross-Origin-Resource-Policy - prevents cross-origin reads.
  • X-Frame-Options - blocks embedding in iframes.
  • Permissions-Policy - disables browser features the app does not use (camera, microphone, geolocation, etc.).

Pure functions

The core engines - risk-score.js, validator.js, custom-rule-engine.js, and rule-test-engine.js - have zero DOM dependencies. They accept plain data, return plain data, and never read from or write to the page. This makes them testable in isolation (Node.js, Deno, or any JS runtime) and portable to other contexts without modification.

Module Map