Security Policy

Futunk is a creative project of Rob Kaper, herinafter also referred to as "Futunk", "we", "us".

The use of plural pronouns in this context is due to the employment of boilerplate language, encompassing both the project and its creator, even if developed by a singular individual.

Despite Futunk's informal nature, I want to assure you that I've taken dedicated measures to ensure the security of both the website and its hosting server. Your privacy and safety are vital concerns.

Best Practices Practised

Server

• Up-to-date software packages
• SSH access by key only
• Firewall with aggressive fail2ban rules

DNS

• DNSSEC
• Transport Layer Security Authentication (TLSA)

E-mail

• Sender Policy Framework (SPF)
• Domain Message Authentication Reporting (DMARC)
• Domain Keys Identified Mail (DKIM)

Web Server

• Content Security Policy (CSP)
• Secure/Same-Site encrypted cookies (SHA256)
• HTTP Strict Transport Security (HSTS), included in Chrome's HTSTS preload list
• Subresource Integrity (SRI)

Website

• Uploads and software resources not in public document root
• User input validation/sanitisation, SQL injection prevention, user content output sanitisation

Authentication

• Encrypted passwords (SHA512) including salt and pepper to prevent rainbow table attacks

While these measures are in place, there's always room for improvement. I'm actively considering further enhancements, such as isolating the web server from other services like DNS and SMTP.

Test Results

Results are valid as of 6 August 2023.

• 0.0 Severity score in OpenVAS Vulnerability Assessment Scanner
• 100% score on Internet.nl Website test
• A+ score on SSL Labs Server Test
• A+ score on Mozilla Observatory