Here is a small enumeration of the ways that I’ve improved security at bradkovach.com
- Full-time HTTPS is available for all bradkovach.com domains. My certificates are signed by DigiCert.
- HTTP Strict Transport Security is enabled. For compatible browsers (Firefox, Chrome), they should flatly refuse to communicate with bradkovach.com unless HTTPS is available. This affects all subdomains.
- `projects.bradkovach.com` will return 406 Not Acceptable for any clients that do not attempt to communicate over HTTPS.
- `bradkovach.com` will redirect traffic to HTTPS if any requests are made over HTTP. This is a potential security risk as the request path and query string will be exposed prior to the redirect. Since the contents of bradkovach.com are public, the trade-off was made in the interest of convenience.
- I have taken down my public email address and now request that you use my Secure Message form. I will receive your message via email and use PGP to decrypt it. Optionally, you can use this facility to securely send me your public key so that we may begin secure correspondence. By design, no sensitive information is exposed in email headers.
- My Secure Message form is available as a free plugin so that you can also accept encrypted email from your visitors.
- I recommend that your site use HTTPS full-time with this plugin.
- There is no client-side encryption at the moment, which might compromise the security of the message when HTTPS isn’t used.
- It is licensed GPLv2.0 in accordance with its relation to the GPG project as well as WordPress.
- Download and Installation details can be found at the GitHub repository.
- Please feel free to send a pull request if you would like to improve the plugin.
- I will package the plugin for the WordPress Plugin Repository soon.