How to Shield something Like THIS

Everyone (h)as a Sword

Cloudflare Config

Honestly, Cloudflare default options are already kinda fine by default. There are just some small configs that are not enabled by default (some of them I don't have any idea why).

From the left panel:

  1. DNS
    1. Click on Enable DNSSEC that provides cryptographic authentication to DNS, preventing some attacks (MITM, cache poisoning...). Info
  2. SSL/TLS:
    1. Overview: Click Configure > Custom TLS/SSL. I use Full (Strict) but the default one could be enough.
    2. Edge Certificates:
      1. Enable HSTS to enforce the clients to use HTTPS (avoiding redirection from HTTP).
      2. Max Age - 12 months
      3. Enable Apply HSTS Policy to Subdomains
      4. Enable Preload
      5. Enable No-Sniff Header
    3. Set “Minimum TLS Version” to TLS 1.3
  3. Security:
    1. You can explore the security options. For this project maybe the bot-detection and anti-abuse options are fine, but you can always monitor how everything is going later.

Github Project Config

Let's create some custom headers. The site is statically generated but in either case, although it's unlucky to get some attacks that are impactful enough to care, it's good to have some basics.

In /src/site create a file called _headers and paste the following:

/* 
X-Frame-Options: SAMEORIGIN
Permissions-Policy: document-domain=(self)

Open /src/helpers/userSetup.js and add the following inside the userEleventySetup(eleventyConfig) function:

eleventyConfig.addPassthroughCopy("src/site/_headers");