viral32111's avatarviral32111's website

As alluded to on the home page, the software that runs this web server (NGINX) is configured to enforce modern security standards.

While this website at present has no need for such security, as there is no user information or credentials exchanged, I find it is always good practice to ensure excellent security for any project I undertake, especially when it involves connections to the Internet.


The Transport Layer Security (TLS) protocol is used to ensure all data exchanged between your device and this webserver is protected from malicious interception and tampering. It is a successor to the flawed Secure Sockets Layer (SSL) protocol.

There are a few versions of this protocol, of which this server will accept version 1.2 and 1.3, the latter is preferred. This server will deny versions 1.0 and 1.1 due to their vulnerabilities and wide-spread deprecation. Similarly, this server will deny all versions of the SSL protocol, including 1.0, 2.0 and 3.0.


A common misconception is that website traffic is secured with the HTTPs “protocol”, this is however not true (to an extent). HTTPs is just an extension to the existing HTTP protocol that only changes the scheme in URLs and Transmission Control Protocol (TCP) port number. The underlying encryption is performed with TLS or SSL.


This server’s OpenSSL cipher suite preference is configured as ECDHE:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-CAMELLIA128-SHA256:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!SHA1:!MD5:!TLSv1.0:!SSLv3:!EXP.

This priorities Elliptic Curve (EC) ciphers that support Perfect Forward Secrecy (PFS) and TLS 1.3 ciphers using AES-GCM and CHACHA20-POLY1305 algorithms with 256-bit keys. It removes support for all protocols, ciphers and hashes considered weak (LOW, SHA1, MD5, TLSv1.0, SSLv3), without authentication (aNULL), or without encryption (eNULL). It also removes all export ciphers (EXP).

Fast ciphers are not prioritised as it is not necessary on a website this minimal.


The TLS certificate used to authenticate this web server is provided by Let’s Encrypt, a trusted non-profit certificate authority.

The certificate is valid for the current primary domain and * for any subdomains, though at present there are no subdomains.

The certificate uses a 384-bit elliptic curve (NIST P-384 curve) key.

See, a certificate transparency database, for the history of certificates issued for this domain.


While HTTP headers do not improve the strength of the underlying cryptography, they do instruct browsers to restrict functionality to minimise the attack surface. The following headers are used:

In addition to the last header, this website is in the HSTS Preload List to ensure all modern web browsers know to only ever visit this website over HTTPs.


This website formerly set a single session cookie on your browser using the following attributes for improved security:

See the cookie policy for more information.


This website does not require JavaScript to function, so it is safe to disable it if that is desired.

Syntax highlighting for code blocks using the Highlight.js library is the only feature where JavaScript is present. These code blocks will simply lack syntax highlighting if it is disabled.

Subresource integrity and the Content-Security-Policy HTTP header are used to mitigate the possibility of your web browser loading a malicious script.


I own the physical server that runs this web server, it is not hosted by a third-party provider, thus I have absolute control over it.

The server runs in-memory, so temporary data such as caches and runtime files are never written to disk. The only data kept on disk is the configuration files for the web server and logs for requests, responses and errors.

Strong disk encryption is utilised to ensure that nothing can be read if the physical server is ever compromised.

See the privacy policy for more information about how HTTP request logs are stored.