viral32111's website

As alluded to on the home page, the software that runs this web server (NGINX) is configured to enforce modern security standards.

While this website at present has no need for such security, as there is no user information or credentials exchanged, I find it is always good practice to ensure excellent security for any project I undertake, especially when it involves connections to the Internet.

Protocols

The Transport Layer Security (TLS) protocol is used to ensure all data exchanged between your device and this webserver is protected from malicious interception and tampering. It is a successor to the flawed Secure Sockets Layer (SSL) protocol.

There are a few versions of this protocol, of which this server will accept version 1.2 and 1.3, the latter is preferred. This server will deny versions 1.0 and 1.1 due to their vulnerabilities and wide-spread deprecation. Similarly, this server will deny all versions of the SSL protocol, including 1.0, 2.0 and 3.0.

HTTPs

A common misconception is that website traffic is secured with the HTTPs “protocol”, this is however not true (to an extent). HTTPs is just an extension to the existing HTTP protocol that only changes the scheme in URLs and Transmission Control Protocol (TCP) port number. The underlying encryption is performed with TLS or SSL.

Ciphers

This server’s OpenSSL cipher suite preference is configured as ECDHE:!ECDHE-ECDSA-AES256-SHA384:!ECDHE-ECDSA-CAMELLIA256-SHA384:!ECDHE-ECDSA-AES128-SHA256:!ECDHE-ECDSA-CAMELLIA128-SHA256:HIGH:!MEDIUM:!LOW:!aNULL:!eNULL:!SHA1:!MD5:!TLSv1.0:!SSLv3:!EXP.

This priorities Elliptic Curve (EC) ciphers that support Perfect Forward Secrecy (PFS) and TLS 1.3 ciphers using AES-GCM and CHACHA20-POLY1305 algorithms with 256-bit keys. It removes support for all protocols, ciphers and hashes considered weak (LOW, SHA1, MD5, TLSv1.0, SSLv3), without authentication (aNULL), or without encryption (eNULL). It also removes all export ciphers (EXP).

Fast ciphers are not prioritised as it is not necessary on a website this minimal.

Certificate

The TLS certificate used to authenticate this web server is provided by Let’s Encrypt, a trusted non-profit certificate authority.

The certificate is valid for the current primary domain viral32111.com and *.viral32111.com for any subdomains, though at present there are no subdomains.

The certificate uses a 384-bit elliptic curve (NIST P-384 curve) key.

See crt.sh, a certificate transparency database, for the history of certificates issued for this domain.

Headers

While HTTP headers do not improve the strength of the underlying cryptography, they do instruct browsers to restrict functionality to minimise the attack surface. The following headers are used:

• Content-Security-Policy prevents loading content that is not authorised by this website.
• X-XSS-Protection disables cross-site scripting attack filtering.
• X-Frame-Options prevents framing this website on other websites.
• X-Content-Type-Options prevents requests for unexpected content types.
• Referrer-Policy prevents informing other websites that you came from this website.
• Strict-Transport-Security enforces encrypted requests to this website for future visits.

In addition to the last header, this website is in the HSTS Preload List to ensure all modern web browsers know to only ever visit this website over HTTPs.

Cookies

This website formerly set a single session cookie on your browser using the following attributes for improved security:

• SameSite prevented the browser from sending the cookie to websites.
• HttpOnly prevented client-side scripts from reading the cookie.
• Secure ensured the cookie is only sent when HTTPs is in use.

See the cookie policy for more information.

JavaScript

This website does not require JavaScript to function, so it is safe to disable it if that is desired.

Syntax highlighting for code blocks using the Highlight.js library is the only feature where JavaScript is present. These code blocks will simply lack syntax highlighting if it is disabled.

Subresource integrity and the Content-Security-Policy HTTP header are used to mitigate the possibility of your web browser loading a malicious script.

Server

I own the physical server that runs this web server, it is not hosted by a third-party provider, thus I have absolute control over it.

The server runs in-memory, so temporary data such as caches and runtime files are never written to disk. The only data kept on disk is the configuration files for the web server and logs for requests, responses and errors.

Strong disk encryption is utilised to ensure that nothing can be read if the physical server is ever compromised.

See the privacy policy for more information about how HTTP request logs are stored.