For people going down the TLS path, there's a good test site at https://www.ssllabs.com/ssltest
which can validate your config is strong, and you're not running broken TLS setups. retro-kit.co.uk scores an A grade; not quite an A+ but still very good!
Yes, it's not too shabby for a $15 SSL cert and some config on my server. I use the Nartac Software tool to help achieve good scores on sites I host SSL with. https://www.nartac.com/Products/IISCrypto
I also had to use the webringo.com static html version of the webring code because webringo.com does not (and it seems may never) support SSL for their embedding code. In the end, to get a fully secure home page I had to use their code, modified to serve the images from my server rather than theirs.
There's also other things you can add ("Security Headers") to the http response that'll help the browser be secure. It can do things like tell the browser "always use TLS when connecting to this site". They can be checked at https://securityheaders.io
- unfortunately none of them are set for retro-kit.co.uk
That's a nice site. In several sites I've built and manage, we use several of those headers (I'm guessing we'd score a C or D for those) but sometimes we find them exceptionally restrictive in what we can and cannot do especially regarding embedding widgets from other sites such as twitter, facebook, addthis, sharethis etc. It's a real battle to find the balance between security and functionality. For retro-kit.co.uk, I'd have to drop some third party widgets to be able to use some of those headers. This is especially painful when you have to manually add more things to those headers every time you want to add a third party widget that is served using an IFRAME or uses a CDN for delivery of content.
I tend to use retro-kit.co.uk as a way of fulfilling part of my hobby and also testing out techniques and methods for other sites I build so I'll probably look at adding some of the headers I'm not familiar with to see what they do; X-Xss-Protection and Referrer-Policy for instance are new to me so playing with them might be fun.
BigEd wrote:There's some advice here about how to go secure - the very easiest way AIUI is to use Cloudflare's free proxy service
Based on some of the things the proxy service does, it's not something I'd consider. For instance, they obfuscate e-mail addresses found in the source of a web page. This would be good except...
Code: Select all
/// Cloudflare obfuscate e-mail addresses to stop simple bots from ripping email addresses... It's a simple XOR type algo...
/// <param name="cfEmail"></param>
private string decodeCloudFlareEmail(string cfEmail)
string decodedEmail = "";
int k = int.Parse(cfEmail.Substring(0, 2), System.Globalization.NumberStyles.HexNumber);
for (int i = 2; i < cfEmail.Length - 1; i = i + 2)
decodedEmail = decodedEmail + Convert.ToChar(int.Parse(cfEmail.Substring(i, 2), System.Globalization.NumberStyles.HexNumber) ^ k);
Yes, it's that easy to decode their protection... hmm, I should use StringBuilder in that code...