Building Privacy-First Websites with Astro

astro privacy tutorial

By Sarah Chen David Kim

January 15, 2024

Disclaimer: This is placeholder content created to demonstrate the features of the Scaffold starter template. The organizations, people, and projects referenced here are fictional.

Building Privacy-First Websites with Astro

When building websites for advocacy organizations and public interest groups, performance and privacy go hand in hand. Astro’s architecture makes it a natural fit for projects where minimizing data exposure is a core requirement.

Why Privacy-Conscious Organizations Choose Astro

Astro stands out for its approach to shipping less code to users:

  • Zero JavaScript by default: Less client-side code means fewer vectors for tracking scripts to piggyback on your bundle
  • Component Islands: Only hydrate what’s truly interactive — a contact form, a search bar — leaving the rest as static HTML
  • No client-side routing overhead: Each page load is a clean slate, reducing persistent state that can be exploited for fingerprinting

Setting Up a Privacy-First Project

Start with a fresh Astro project and configure it for minimal data exposure:

Terminal window
npm create astro@latest privacy-first-site
cd privacy-first-site

Add a strict Content Security Policy in your layout:

---
const cspDirectives = [
  "default-src 'self'",
  "script-src 'self'",
  "style-src 'self' 'unsafe-inline'",
  "img-src 'self' data:",
  "connect-src 'self'",
  "frame-ancestors 'none'",
].join("; ");
---


<html>
  <head>
    <meta http-equiv="Content-Security-Policy" content={cspDirectives} />
  </head>
  <body>
    <slot />
  </body>
</html>

Self-Hosted Analytics Without Surveillance

Replace third-party tracking with privacy-respecting alternatives that you control:

// Simple, cookie-free page view counter
// Stores only aggregate counts, no personal data
const analyticsEndpoint = '/api/pageview';


document.addEventListener('DOMContentLoaded', () => {
  fetch(analyticsEndpoint, {
    method: 'POST',
    body: JSON.stringify({
      path: window.location.pathname,
      referrer: document.referrer ? new URL(document.referrer).hostname : null,
    }),
  });
});

Next Steps

Building for privacy is an ongoing commitment:

  • Audit your dependencies for hidden trackers
  • Implement consent-first patterns for any interactive features
  • Test with browser privacy tools to verify no unexpected network requests

Every architectural choice is a values choice. Shipping less JavaScript isn’t just good engineering — it’s good ethics.

About the Authors

Sarah Chen

Sarah Chen

Executive Director

 David Kim

David Kim

Open Source Developer