Infrastructure

Server-Traffic

Security

Security is important for me. I use:

  • access to our servers (SSH) requires 2-factor authentication (pubkey and password)
  • authorized SSH keys are handed out in hardware (Yubikeys)
  • where supported updates are installed automatically (including automatic reboot when necessary)
  • our domains are DNSSEC signed
  • we support DANE for email traffic
  • statically generated website for a reduced attack surface (with some security headers)
  • HSTS with Preloading
  • we make use of 2-factor authentication for all 3rd-party services where supported (njal.la, 1984.is, stripe, github, twitter, mastodon, …)
  • we make use of CAA, TLSA and SSHFP DNS records
  • we monitor certificate transparency logs for our domain to spot rough certificates