As I have just rebuilt the site, I wanted to up some of the security controls in place, after an evening of messing around, we’re now getting great scores of some of the online testers:
Some great results, a few final things to tidy up, but overall I’m really happy with the new controls and monitoring in place.
I’m making some changes to the hosting and configuration of this site, you can see the rough goals below:
- Changing hosting provider from a legacy shared server to a cloud hosting provider with better security and high availability.
- Adding stricter (and end-to-end) encryption to the entire site using a combination of CloudFlare and LetsEncrypt.
- Changing the sites security / performance configuration to support and enforce:
- HTTP Strict Transport Security (HSTS)
- Authenticated Origin Pulls
- HTTP/2 + SPDY
- IPv6 Compatibility
- Scrape Shield
Using various tools this should actually be quite straightforward. I plan to detail the main stages / steps in some later posts.