Security Policy

Futunk is a creative project of Rob Kaper, herinafter also referred to as "Futunk", "we", "us".

The use of plural pronouns in this context is due to the employment of boilerplate language, encompassing both the project and its creator, even if developed by a singular individual.

Despite Futunk's informal nature, I want to assure you that I've taken dedicated measures to ensure the security of both the website and its hosting server. Your privacy and safety are vital concerns.

Best Practices Practised

Server

• Up-to-date software packages
• SSH access by key only
• Firewall with aggressive fail2ban rules

DNS

• DNSSEC
• Transport Layer Security Authentication (TLSA)

E-mail

• Sender Policy Framework (SPF)
• Domain Message Authentication Reporting (DMARC)
• Domain Keys Identified Mail (DKIM)

Web Server

• Content Security Policy (CSP)
• Secure/Same-Site encrypted cookies (SHA256)
• HTTP Strict Transport Security (HSTS), included in Chrome's HTSTS preload list
• Subresource Integrity (SRI)

Website

• Uploads and software resources not in public document root
• User input validation/sanitisation, SQL injection prevention, user content output sanitisation

Authentication

• Encrypted passwords (SHA512) including salt and pepper to prevent rainbow table attacks

Test Results

Results are valid as of 12 February 2024.

• 100% score on Internet.nl Website test
• A+ score on SSL Labs Server Test
• A+ score on Mozilla Observatory
• A+ score on ImmuniWeb (PCI DSS, HIPAA and NIST compliant)
• 0.0 Severity score in OpenVAS Vulnerability Assessment Scanner

Community

Futunk contributes to a safer internet by reporting suspicious activity to AbuseIPDB. Our reporting includes:

• Bots detected by login, signup and comment forms on the website
• Unauthorised SSH login attempts