About stlweb.dev

Engineering-first.
No fluff.
Built in St. Louis.

We're stlweb.dev — a St. Louis-based engineering studio. We build fast, secure, production-grade web products. The same team that shipped PQ PDF and PQ Crypta now brings that same engineering discipline to St. Louis businesses.

Our Philosophy

Precision over production volume.

Most web agencies are optimized for throughput — templates, page builders, cheap offshore labor, and upsell cycles. We're not that. We write real code, make deliberate architectural decisions, and stand behind what we ship.

Every project starts with a scoped proposal, a locked price, and a clear timeline. No discovery-phase bait-and-switch. No "it depends" pricing. No 6-month retainer before you see a line of code.

We keep the project roster intentionally small so every build gets real engineering attention. If a project isn't the right fit — we'll say so on the first call.

Engineering-first

Every technical decision is made for performance, security, and longevity — not for ease of delivery. We use the right tools, not the trendy ones.

Transparent pricing

Every service has a public starting price. Scope is locked before we write a single line. You'll never receive a surprise invoice.

We eat our own cooking

This site — stlweb.dev — is our live demo. Every technique we recommend is in production here first. HTTP/3, post-quantum security, Lighthouse 100 — all running on this server.

St. Louis roots

We build here, we understand here. Local SEO, local context, and a local phone number you can actually call.

Our Own Products

We build real production software.

Before taking on client projects, we built and shipped our own production applications. Here's what that engineering looks like.

PQ PDF
pqpdf.com ↗

Sovereign Document Intelligence Platform

46 PDF tools plus a dual-scanner forensics platform. PDF scanner: 44 engines — 15 static heuristics, 6 live sandboxes (Ghostscript, MuPDF, Poppler, PDFium, LibreOffice, pdf.js), 3 ML classifiers with SHAP explainability, 6.4M+ offline threat indicators, MITRE ATT&CK mapping, 9 sanitization modes, local Qwen 2.5 AI forensic reports, zero retention. Office scanner: 23 engines covering Word, Excel, PowerPoint, Outlook, Access, and Visio — VBA macros, XLM deobfuscation, OLE forensics, IOC extraction, sandboxed execution, 4-mode sanitization. ML-KEM-1024 post-quantum encryption on every transfer.

PHP 8.4 Python ML 44+23 Engines 6.4M+ IOCs MITRE ATT&CK Zero-Retention ML-KEM-1024
PQ Crypta
pqcrypta.com ↗

Post-Quantum Cryptography API Platform

Production API serving all finalized NIST post-quantum standards — ML-KEM (FIPS 203), ML-DSA (FIPS 204), SLH-DSA (FIPS 205) — plus 44 additional hybrid and legacy schemes, 47 algorithms total. Not a wrapper: native implementations. HTTP/3 QUIC. Enterprise JWT auth. Real-time threat intelligence dashboard, bot remediation, public security dashboard, automated dependency scanning. The same cryptography securing PQ PDF and this site.

47 PQC Algorithms FIPS 203/204/205 HTTP/3 + QUIC NIST Native JWT Enterprise TLS 1.3
pqcrypta-proxy
GitHub ↗

Rust HTTP/3 Reverse Proxy with Hybrid PQC TLS

From-scratch Rust Layer-7 reverse proxy: HTTP/1.1, HTTP/2, HTTP/3, QUIC, and WebTransport with hybrid X25519+ML-KEM-768 post-quantum TLS (NIST Level 3) via OpenSSL 3.5+. 222 commits. 142 passing tests. Serving stlweb.dev right now. 6 load-balancing algorithms, canary routing with auto-rollback, JA3/JA4 fingerprinting with replay and drift detection, WAF (SQLi/XSS/SSRF/traversal + 40+ scanner probe paths), 0-RTT replay protection, PQC session tickets, GeoIP blocking, ACME hot-reload, OCSP stapling, Prometheus metrics, OpenTelemetry tracing, zero-trust startup mode.

Rust HTTP/3 + QUIC WebTransport X25519+ML-KEM-768 222 Commits 142 Tests 6 LB Algos WAF + JA3/JA4
QUIC Speed Test
pqcrypta.com/speedtest/ ↗

The First WebTransport Speed Test on the Internet

Every other speed test runs over TCP. This one uses real UDP datagrams over WebTransport/QUIC — measuring network conditions the way latency-sensitive applications actually experience them. Two servers (US East · US Midwest) with GeoIP auto-selection. Download: 12 concurrent QUIC streams. Upload: 16 WebTransport streams. Measures latency, jitter (σ RTT), packet loss, and throughput, then layers gaming experience rating, VoIP MOS score, streaming quality, buffer bloat analysis, ISP fingerprint, MTR hop visualization, and live percentile ranking vs real users. Free, no account.

First WebTransport Speedtest Real UDP · Not TCP WebTransport API QUIC Datagrams VoIP MOS Score MTR Hop Viz 2 Servers Free
PQ Crypta Share
pqcrypta.com/share/ ↗

Dual-KEM Zero-Knowledge Encrypted Messages

Every message independently encrypted under two NIST Level 5 algorithms simultaneously: ML-KEM-1024 (lattice, FIPS 203) and HQC-256 (code-based, NIST 2025). An attacker must break both — two entirely different mathematical problems — at the same time. The only encrypted-message tool implementing dual-KEM. True zero-knowledge: the AES-256-GCM wrap key lives only in the URL fragment, never transmitted. Burn-after-reading, passphrase layer (PBKDF2 200k iterations), 4 KB block padding, SHA-256 preview hash fingerprint, link health check, integrity badge, self-audit mode. No account. No data retained.

ML-KEM-1024 + HQC-256 Dual-KEM NIST Level 5 Zero-Knowledge Burn-After-Reading Passphrase Layer No Account
pqc-binary-format
GitHub ↗

Universal PQ Wire Format — Submitted to NIST

An algorithm-agnostic binary serialization format for post-quantum cryptographic data, submitted to NIST for standardization consideration. The problem it solves: every PQ library serializes keys and signatures differently, breaking interoperability. pqc-binary-format gives any implementation a common wire format without vendor lock-in. 47 supported algorithms. 5 language bindings: Rust, Python, JavaScript, Go, and C.

NIST Submitted 47 Algorithms 5 Language Bindings Rust · Python · JS · Go · C Open Source Wire Format
The Stack

What we actually build with.

Not a list of logos. The specific tools we use in production — and why.

Frontend 37
React / Next.js Vue / Nuxt Angular SvelteKit Astro Remix Gatsby Vanilla JS (ES2024) TypeScript PHP 8.4 Templates HTMX Web Components Tailwind CSS CSS @layer SASS / SCSS CSS Modules Styled Components Scroll-driven Animations View Transitions API Web Animations API GSAP Framer Motion Three.js / WebGL Canvas API MapLibre GL WebTransport API PWA / Service Workers Web Workers Intersection Observer WebGL / WebGPU Mobile-first Responsive Design Cross-browser Compatibility WCAG 2.2 AA Accessibility Keyboard Navigation Screen Reader Testing Dark Mode / Theme Systems Design System Implementation
CMS & E-Commerce 15
WordPress WooCommerce Drupal Craft CMS Ghost Contentful Sanity Strapi Payload CMS KeystoneJS Shopify Shopify Custom Themes BigCommerce Headless CMS Architecture Custom CMS Builds
Backend 18
PHP 8.4 FPM Node.js (Fastify / Express) Rust Python 3.12 Go RESTful APIs GraphQL WebSockets WebTransport API Server-Sent Events gRPC OAuth2 / JWT SSO / SAML Playwright Automation Queue Workers Cron / Scheduled Jobs Microservices Serverless Functions
Databases 18
PostgreSQL MySQL / MariaDB MongoDB Redis SQLite Microsoft SQL Server Oracle DB CouchDB DynamoDB Cassandra Elasticsearch OpenSearch Full-Text Search Vector DBs (pgvector) Time-Series Data S3 / Object Storage Database Migrations Query Optimization
Infrastructure 49
pqcrypta-proxy (Rust) HTTP/1.1 · HTTP/2 · HTTP/3 · QUIC WebTransport Apache 2.4 NGINX HAProxy Caddy Least Connections LB Round Robin LB Weighted Round Robin LB IP Hash LB Least Response Time LB Canary Traffic Splitting (auto-rollback) Traffic Shadowing / Mirroring Session Affinity (Cookie / IP / Header) Circuit Breaker Connection Draining Slow Start Request Queuing Priority Failover Connection Pool RFC 9111 Response Cache Request Coalescing Early Hints (HTTP 103) Brotli · gzip · zstd Compression Hot Reload (zero downtime) ACME / Let's Encrypt Automation OCSP Stapling Certificate Transparency Prometheus Metrics OpenTelemetry (W3C TraceContext + B3) Structured Audit Logging PROXY Protocol v2 Log Rotation (SIGHUP) Environment Config Overlay Cloudflare (WAF + CDN + Workers) AWS (EC2, RDS, S3, CloudFront, Lambda) Google Cloud Azure Self-Hosted VPS Bare Metal Docker Kubernetes Docker Compose GitHub Actions CI/CD GitLab CI Jenkins Blue/Green Deployments Zero-Downtime Deploy
Security 58
NIST FIPS 203 / 204 / 205 ML-KEM-1024 X25519MLKEM768 Hybrid TLS PQC Session Tickets (ML-KEM-1024) PQC Downgrade Detection TLS 1.3-Only TLS Re-encrypt / Passthrough TLS Key Permission Checks OCSP Stapling Certificate Transparency WAF (detect + block mode) SQLi Prevention XSS Hardening Path Traversal Blocking NoSQL Injection SSRF Prevention Command Injection (CMDi) XXE Blocking Insecure Deserialization OWASP A01 / A03 / A08 / A10 Scanner Probe Blocking (40+ paths) Custom WAF Patterns JA3 / JA4 TLS Fingerprinting JA3/JA4 Replay Detection JA3/JA4 Drift Detection Malicious Fingerprint Blocking mTLS / Mutual TLS Internal Route Auto-mTLS Per-Route HMAC Proof-of-Possession Admin HMAC Signing Cryptographically Secure Tokens (OsRng) Multi-dimensional Rate Limiting Redis-backed Distributed Rate Limits JWT Rate Limiting (HMAC-SHA256) Adaptive ML Anomaly Detection Admin Brute-Force Lockout (exp. back-off) WebTransport Per-Origin Rate Limiting DoS / Connection Limit Protection 0-RTT Replay Protection GeoIP Blocking (MaxMind) IP Blocklists (DB-synced, CIDR) Zero-Trust Mode SSRF Link-local / RFC1918 Rejection Server Identity Concealment CSP / HSTS CORS (429-safe) COEP / COOP / CORP X-Frame-Options DNSSEC NEL (Network Error Logging) Log Injection Prevention OAuth2 / JWT SSO / SAML Secret Scanning Penetration Test Remediation GDPR / HIPAA Compliance OWASP Top 10 tls_skip_verify Production Block
Performance 18
Lighthouse 100 Core Web Vitals HTTP/3 QUIC Brotli Compression WebP / AVIF <1s LCP Critical CSS Inlining CDN / Edge Cache Service Workers Code Splitting Tree Shaking Lazy Loading Font Subsetting Image Optimization Pipeline Database Query Profiling Render-blocking Removal TTFB Optimization Prefetch / Preconnect / Preload
Integrations & APIs 39
Stripe / Stripe Connect PayPal / Braintree Square Twilio (SMS / Voice) SendGrid Postmark AWS SES Mailchimp Klaviyo HubSpot (CRM + Marketing) Salesforce Zoho CRM ActiveCampaign Constant Contact Zapier Make (Integromat) n8n Webhooks / Event Streams Google Maps API Google Places API Google Calendar API Google Analytics 4 Google Tag Manager Algolia Typesense OpenAI / Claude AI Pinecone / Vector Search Calendly / Booking APIs Intercom / Crisp Live Chat Zoom / Google Meet APIs Slack / Discord Webhooks QuickBooks / Xero ShipStation / EasyPost Facebook / Instagram Graph API Twitter / X API YouTube Data API Cloudinary / imgix Firebase Cloud Messaging Web Push Notifications
SEO & Analytics 31
Schema Markup / JSON-LD Open Graph / Twitter Cards XML Sitemaps robots.txt Canonical Tags Breadcrumb Structured Data LocalBusiness Schema FAQ / HowTo / Review Schema Hreflang (Multi-language) Google Business Profile Optimization Local Citation Building NAP Consistency Geo-targeted Landing Pages Google Analytics 4 Google Tag Manager Google Search Console Bing Webmaster Tools Hotjar / Heatmaps Mixpanel PostHog (self-hosted) Plausible Lighthouse CI Core Web Vitals Monitoring PageSpeed Insights API Real User Monitoring (RUM) SEO-first Architecture Semantic HTML Structure Internal Linking Strategy CRO (Conversion Rate Optimization) A/B Testing Integration Landing Page Optimization
Testing & QA 29
Jest Vitest PHPUnit Pest (PHP) Go testing Playwright Cypress Selenium Postman / Newman REST Assured Supertest k6 (Load Testing) Artillery Apache JMeter Percy (Visual Regression) Storybook axe-core (Accessibility) WAVE Accessibility Testing Lighthouse Audits Sentry (Error Tracking) LogRocket Datadog GitHub Actions Test Automation Pre-commit Hooks Code Coverage Reporting Mutation Testing BrowserStack Cross-browser Testing Responsive Testing
St. Louis, Missouri

Let's build something worth shipping.

Free scoping call. Locked price before we start. No engagement required until you're ready. We respond within one business day.

Get a Free Proposal See our work →

hello@stlweb.dev · Saint Louis, MO