I'll spare the technical explanations, but here's a list with links of everything that's been implemented:
- HTTPS - Encrypts the communications between your computer and this website
- HSTS - Ensures that your connection to this website will always use HTTPS
- CSP - Blocks malicious scripts that are typically hosted on other (bad) websites
- Referrer-Policy - Prevents another website from knowing the last Sidosi page you visited when you click on a non-HTTPS link to that website
- X-Content-Type-Options - Blocks a method attackers commonly use to upload malicious scripts to a website
- X-Frame-Options - Blocks a common method of other website pretending to be this website and collecting usernames/passwords
- X-XSS-Protection - Similar to CSP, but for legacy browsers
A before and after of several third-party website security scanners that Observatory also runs the website through, with similar improvements in score:
Finally, probably the most noticeable improvement to non-tech people, the "before" part only visible on Google Chrome, but the "after" part visible to everyone:
All of this adds together to make Sidosi a much more secure and safer website than before. Ultimately, the goal is to score an A or A+ on the Observatory test, but properly implementing CSP will take some time, and like some other security features I looked into, may not be possible to fully implement due to technical limitations. To even implement what I did, I had to rip out all of Sidosi's old code, so the pages may look the same, but they're shells of their former selves waiting for the big redesign. Well, at least they're more secure.
Because this update involved changing a lot of things that affect the whole website, please report any issues via the Website Support forum, the Contact form, the Discord, or any other way you know how to contact me.