Security across the entire application layer
In addition to RSA certificates with 3072-bit key length, I prefer using ECDSA certificates to reduce load on both clients and servers.
Clients inform the server via cipher preference whether ECDSA is supported or if it should fall back to RSA.
A custom, context-aware cipher suite enhances transport security and includes features such as Forward Secrecy, HSTS preload, various security headers (CSP, Expect-CT), and OCSP.
This website, for example, uses several of these protections.
Another example is the API for uDomainFlag (dfdata.bella.network), which supports both RSA & ECDSA and uses a cipher suite optimized for AES-NI, as it is not accessed from mobile devices.
Note: 100% in the SSLLabs test is intentionally not achieved because disabling TLS_AES_128_GCM_SHA256 in RFC8446 (TLS 1.3) is explicitly prohibited. (#636)
In addition to RSA certificates with 3072-bit key length, I prefer using ECDSA certificates to reduce load on both clients and servers.
Clients inform the server via cipher preference whether ECDSA is supported or if it should fall back to RSA.
A custom, context-aware cipher suite enhances transport security and includes features such as Forward Secrecy, HSTS preload, various security headers (CSP, Expect-CT), and OCSP.
This website, for example, uses several of these protections.
Another example is the API for uDomainFlag (dfdata.bella.network), which supports both RSA & ECDSA and uses a cipher suite optimized for AES-NI, as it is not accessed from mobile devices.
Note: 100% in the SSLLabs test is intentionally not achieved because disabling TLS_AES_128_GCM_SHA256 in RFC8446 (TLS 1.3) is explicitly prohibited. (#636)
Security tests from various platforms
- SSLLabs
- Hardenize
- SecurityHeaders.io
- Observatory by Mozilla
- Mailserver test by Internet.nl
- ImmuniWeb
- Shodan
- Graylog
- check_mk
- custom software
Self-hosting with a touch of cloud – without dependency
Instead of relying on web hosting or email services, I manage these services myself, both internally and externally. This allows for fine-tuning to meet my own and users’ needs, as well as increased security by disabling unused functionality, cipher suites, and services.
Deliberate choice of technology
Depending on the use case, I select the right technology. I prefer NGiNX as a web server and Apache2 for customer-facing systems. Depending on the project, I use Go or PHP8. For mail, I run Mailcow or a custom Postfix, Dovecot, and rspamd stack. Databases include MariaDB, SQLite, InfluxDB, Elasticsearch, and PostgreSQL.
Instead of relying on web hosting or email services, I manage these services myself, both internally and externally. This allows for fine-tuning to meet my own and users’ needs, as well as increased security by disabling unused functionality, cipher suites, and services.
Deliberate choice of technology
Depending on the use case, I select the right technology. I prefer NGiNX as a web server and Apache2 for customer-facing systems. Depending on the project, I use Go or PHP8. For mail, I run Mailcow or a custom Postfix, Dovecot, and rspamd stack. Databases include MariaDB, SQLite, InfluxDB, Elasticsearch, and PostgreSQL.
Performance through optimization
In 2016, the average website size was already over 2.2 MB . This increases traffic usage and slows down loading. Optimization through compression (gzip, Brotli, Zstd), HTTP caching, HTTP/2 & HTTP/3, 0-RTT, ChaCha prioritization, and prefetching significantly improves performance, even if size can’t be reduced.
In 2016, the average website size was already over 2.2 MB . This increases traffic usage and slows down loading. Optimization through compression (gzip, Brotli, Zstd), HTTP caching, HTTP/2 & HTTP/3, 0-RTT, ChaCha prioritization, and prefetching significantly improves performance, even if size can’t be reduced.
Networking – from local to global
My network evolved from a basic USB-UMTS modem to multiple routers, firewalls, access points, VLANs, and VPN connections via WireGuard and BGP. More details at Homelab.
My network evolved from a basic USB-UMTS modem to multiple routers, firewalls, access points, VLANs, and VPN connections via WireGuard and BGP. More details at Homelab.
Central monitoring and observability
Trust is good, monitoring is better – currently 70 servers are monitored using Graylog, checkmk, and custom software, sending 9900 events per minute to a central SIEM system.
Trust is good, monitoring is better – currently 70 servers are monitored using Graylog, checkmk, and custom software, sending 9900 events per minute to a central SIEM system.
I mostly take spontaneous photos during walks or hikes, using my iPhone 16 Pro Max and its default camera app. I rarely post-process them, except occasionally using Google Photos auto-enhance. More photos on my pixelfed profile.