As alluded to on the home page, the software that runs this web server (NGINX) is configured to enforce modern security standards.
While this website at present has no need for such security, as there is no user information or credentials exchanged, I find it is always good practice to ensure excellent security for any project I undertake, especially when it involves connections to the Internet.
The Transport Layer Security (TLS) protocol is used to ensure all data exchanged between your device and this webserver is protected from malicious interception and tampering. It is a successor to the flawed Secure Sockets Layer (SSL) protocol.
There are a few versions of this protocol, of which this server will accept version 1.2 and 1.3, the latter is preferred. This server will deny versions 1.0 and 1.1 due to their vulnerabilities and wide-spread deprecation. Similarly, this server will deny all versions of the SSL protocol, including 1.0, 2.0 and 3.0.
A common misconception is that website traffic is secured with the HTTPs “protocol”, this is however not true (to an extent). HTTPs is just an extension to the existing HTTP protocol that only changes the scheme in URLs and Transmission Control Protocol (TCP) port number. The underlying encryption is performed with TLS or SSL.
This server’s OpenSSL cipher suite preference is configured as
This priorities Elliptic Curve (EC) ciphers that support Perfect Forward Secrecy (PFS) and TLS 1.3 ciphers using AES-GCM and CHACHA20-POLY1305 algorithms with 256-bit keys. It removes support for all protocols, ciphers and hashes considered weak (
SSLv3), without authentication (
aNULL), or without encryption (
eNULL). It also removes all export ciphers (
Fast ciphers are not prioritised as it is not necessary on a website this minimal.
The TLS certificate used to authenticate this web server is provided by Let’s Encrypt, a trusted non-profit certificate authority.
The certificate is valid for the current primary domain
*.viral32111.com for any subdomains, though at present there are no subdomains.
The certificate uses a 384-bit elliptic curve (NIST P-384 curve) key.
See crt.sh, a certificate transparency database, for the history of certificates issued for this domain.
While HTTP headers do not improve the strength of the underlying cryptography, they do instruct browsers to restrict functionality to minimise the attack surface. The following headers are used:
Content-Security-Policyprevents loading content that is not authorised by this website.
X-XSS-Protectiondisables cross-site scripting attack filtering.
X-Frame-Optionsprevents framing this website on other websites.
X-Content-Type-Optionsprevents requests for unexpected content types.
Referrer-Policyprevents informing other websites that you came from this website.
Strict-Transport-Securityenforces encrypted requests to this website for future visits.
In addition to the last header, this website is in the HSTS Preload List to ensure all modern web browsers know to only ever visit this website over HTTPs.
This website formerly set a single session cookie on your browser using the following attributes for improved security:
SameSiteprevented the browser from sending the cookie to websites.
HttpOnlyprevented client-side scripts from reading the cookie.
Secureensured the cookie is only sent when HTTPs is in use.
Subresource integrity and the
Content-Security-Policy HTTP header are used to mitigate the possibility of your web browser loading a malicious script.
I own the physical server that runs this web server, it is not hosted by a third-party provider, thus I have absolute control over it.
The server runs in-memory, so temporary data such as caches and runtime files are never written to disk. The only data kept on disk is the configuration files for the web server and logs for requests, responses and errors.
Strong disk encryption is utilised to ensure that nothing can be read if the physical server is ever compromised.