Website Hardening⚓︎
Summary⚓︎
This article will provide a detailed breakdown of the security measures taken to harden the davelevine.io domain.
DNS⚓︎
- All subdomains proxied through Cloudflare.
- DNSSEC enabled.
SSL/TLS⚓︎
Example
- SSL/TLS Encryption: Full (Strict)
- Encrypts end-to-end, but requires a trusted CA or Cloudflare Origin CA certificate on the server.
- Trusted CA served by pfSense except for Knowledge, which uses a Cloudflare Origin CA served through NGINX.
- Dedicated Edge Certificate for davelevine.io and *.davelevine.io.
- Always use HTTPS: On
- HTTP Strict Transport Security (HSTS)
- Status: On Max-Age: 6 months (Recommended) Include subdomains: On Preload: On
- Minimium TLS Version: TLS 1.2
- Opportunistic Encryption: On
- Onion Routing: On
- TLS 1.3: On
- Automatic HTTPS Rewrites: On
- Origin Certificate: ***Valid origin certificate for *davelevine.io and *.davelevine.io.
Firewall⚓︎
Rules
- Rule 1: Block bad bots
- Rule 2: Block all countries except for US
- Rule 3: Test rule.
- A detailed breakdown of this rule can be found here.
- Rule 4: Exclude known bots
- Rate Limiting:
- 1,000 requests per 10 seconds, Block for 1 minute
Access⚓︎
Login Method
OAUTH via GitHub (GitHub credentials + Yubikey required.)
Access protects internal resources by authenticating against identity providers you already use. With Access, you can control which users and groups can reach sensitive materials without a VPN or making code changes to your site.
The following subdomains are protected with their respective policies:
Session Duration: 6 hours
Access Group: Administrator
Session Duration: 15 minutes
Access Group: Administrator
Session Duration: 6 hours
Access Group: Administrator
Page Rules⚓︎
Example
**status.davelevine.io/** * SSL: Full
**xen-plex.davelevine.io/** * Cache Level: Bypass
- HTTP/2: On
- HTTP/3 (with QUIC): On
- 0-RTT Connection Resumption: On
- Email Address Obfuscation: On
- Server-side Excludes: On
- Hotlink Protection: On