Back to LinkedIn posts

LinkedIn post 112

๐Ÿšจ Unexpected lesson from running a technical portfolio on GitHub Pages โš ๏ธ

๐Ÿšจ Unexpected lesson from running a technical portfolio on GitHub Pages โš ๏ธ

Recently my GitHub Pages site was flagged as a "Dangerous site" by Google Safe Browsing and I've only found out today when publishing my favorite SOQL queries in a cheat sheet page.

I've checked and there are no malware, no phishing forms, no credential capture. The root cause was automated heuristics.

In my case, browser-based AI/WebGPU experiments - running ONNX transformer models locally with transformers.js and calculating fractals on the browser - likely triggered the flag.

For a security crawler, patterns like large binary downloads, WebAssembly, WebGPU initialization, and heavy client-side compute may look indistinguishable from malware loaders.

So if you are hosting demos or portfolios, these may be important points:
๐Ÿ‘‰ username.github.io is a single reputation boundary
๐Ÿ‘‰ one demo can poison the entire site if it looks "risky"
๐Ÿ‘‰ automated classifiers will not consider your disclaimers and open-source code

I've removed those demos and made an appeal - I have yet to see the result.
Fortunately this was not a security incident but it has a negative reputation effect.

If you host AI, WebGPU, WASM, or client-side ML demos it may be better to isolate them on a separate domain or subdomain. Also, avoid auto-loading models on page load and put a gate with explicit user interaction before proceeding with heavy computation.

Modern security systems optimize for minimizing false negatives, no matter how many false positives it gets. These advanced browser-side public experimentations seem to be at that boundary.

I hope that by sharing this it saves someone else a few days of confusion.