The following includes technical details about the behind-the-scenes workings of this website. It is not intended for casual readers, rather for those interested in auditing my methods and helping me improve them.
This website is protected by Cloudflare’s DDoS protection with strong NGINX access rules for redundancy.
The server hosting this website is protected by redundant firewalls. SSH access requires lease access, a valid key pair, and two-factor authentication for all users.
The firewalls are configured to only permit direct HTTP/HTTPS connections from Cloudflare, ensuring all traffic to the site passes through their filters first. In essence, when you visit the website, you’re actually getting cached content from Cloudflare. Only when you submit the contact form or a search, do you actually communicate with the server itself.
This website is secured using TLS 1.2 and 1.3 with perfect forward secrecy. TLS 1.0 and 1.1 are no longer supported. Origin certificates are issued by Let’s Encrypt with edge certificates being issued by Comodo. All origin pulls are required to be authenticated with a valid certificate.
The website also implements HSTS. HTTP Strict Transport Security (HSTS) vastly improves security of the network encryption layer. With HSTS enabled, browsers no longer allow clicking through certificate warnings errors, which are typically trivial to exploit. Additionally, they will no longer submit insecure (plaintext) requests to the site in question, even if asked.
Lastly, the domain implements CAA records to prevent malicious or accidental mis-issuance of TLS certificates for the domain.
The server is scanned daily by rkhunter, chkrootkit, maldet, and ClamAV to ensure the highest possible protection from various threats.
Third party content
This website is built using Bootstrap, Font Awesome, and web fonts. Additionally, the site uses Matomo for analytics. For security and privacy reasons, Bootstrap, Font Awesome, and the web fonts are all included locally on this server. The Matomo instance used for analytics is hosted locally on this server as well and is used for all of my personal websites. However, IP addresses have the last octet removed to prevent absolute identification of visitors. Additionally, accessing the TOR onion only causes Matomo to record the visit and that it is from TOR. No other information about the visitor is collected.
As mentioned in 7, this website runs a TOR Onion site available at offpriv2kalk6oya.onion. The service is hosted on the same server as the site and is subject to the same policies with two notable exceptions: a) Cloudflare is not part of the access route and b) the service does not utilize HTTPS because TOR already encrypts onion sites.
This domain is configured to use DNSSEC. DNSSEC is an extension of the DNS protocol that provides cryptographic assurance of the authenticity and integrity of responses; it’s intended as a defense against network attackers who are able to manipulate DNS to redirect their victims to servers of their choice.
If you have comments, critiques, or suggestions on ways I can improve this security plan, feel free to contact me.