Security Status

Real-time security posture and compliance status for glyph.sh

SSL/TLS Configuration

Test Your Own Site: SSL Labs

Current Configuration

• Protocol: TLS 1.3
• Cipher Suites: Strong ciphers only (no RC4, 3DES, MD5)
• Certificate: Valid until 2027
• HSTS: Enabled (max-age=31536000, includeSubDomains, preload)
• OCSP Stapling: Enabled
• Perfect Forward Secrecy: Supported

Security Headers

Test Your Own Site: SecurityHeaders.com

Implemented Headers

Content-Security-Policy (CSP)

default-src 'self';
script-src 'self' https://cdn.jsdelivr.net https://kit.fontawesome.com https://ka-f.fontawesome.com 'unsafe-inline';
style-src 'self' https://cdn.jsdelivr.net https://fonts.googleapis.com 'unsafe-inline';
font-src 'self' https://fonts.gstatic.com https://ka-f.fontawesome.com;
img-src 'self' data: https:;
connect-src 'self' https://cdn.jsdelivr.net https://ka-f.fontawesome.com;
frame-ancestors 'none';
base-uri 'self';
form-action 'self'

Strict-Transport-Security (HSTS)

max-age=31536000; includeSubDomains; preload

X-Frame-Options

DENY

X-Content-Type-Options

nosniff

X-XSS-Protection

1; mode=block

Referrer-Policy

strict-origin-when-cross-origin

Permissions-Policy

geolocation=(), microphone=(), camera=()

WHOIS Privacy

Status: Privacy Protected

• Registrar: Protected via domain privacy service
• Personal Information: Hidden from public WHOIS
• Contact: Available through registrar proxy
• DNS: AWS Route 53 (managed DNS)

CloudFront CDN

Features Enabled:

• Global edge caching
• DDoS protection (AWS Shield Standard)
• HTTPS redirect enforced
• TLS 1.2 minimum
• Custom error pages
• Compression enabled (gzip, brotli)

Edge Locations: 400+ worldwide

Content Integrity

Subresource Integrity (SRI): Enabled

All external resources loaded with integrity checksums:

<link rel="stylesheet" href="/main.min.css"
  integrity="sha256-3foAtX8u+sqBIi3HYUc5HYdBhqEUqgkZRmj5NjA8SiA="
  crossorigin="anonymous">

Infrastructure Security

Hosting

• Platform: AWS S3 + CloudFront
• Region: US-East-1 (Primary)
• Backup: Multi-region replication
• Access: IAM roles, no root access
• Logging: CloudTrail + S3 access logs
• Monitoring: CloudWatch alarms

Deployment

• CI/CD: GitHub Actions (automated)
• Secrets: GitHub Secrets (encrypted)
• Code Review: Required before merge
• Signed Commits: GPG verified
• Dependency Scanning: Enabled

Compliance & Standards

Security Features

Active Protections

• No tracking scripts
• No third-party analytics
• No cookies (except essential)
• No user data collection
• Privacy-respecting design
• Open source deployment scripts
• Documented security.txt
• PGP encrypted communications available

Attack Mitigation

• DDoS protection (CloudFront + AWS Shield)
• Rate limiting on APIs
• SQL injection: N/A (static site)
• XSS: Prevented by CSP
• Clickjacking: Prevented by X-Frame-Options
• MIME sniffing: Prevented by X-Content-Type-Options

Vulnerability Disclosure

Found a security issue? Please report it responsibly:

• Contact: KevinKessler@ProtonMail.com
• PGP Key: Download
• security.txt: /.well-known/security.txt
• Expected Response: 24-48 hours
• Disclosure Policy: Coordinated disclosure

External Verification

Test this site yourself using these tools:

• SSL Labs SSL Test
• SecurityHeaders.com
• Mozilla Observatory
• ImmuniWeb SSL Security Test
• Hardenize

Last Updated: October 2025

This page demonstrates transparency in security practices and provides verifiable evidence of security controls.