From 5526fb79b96651e868d8bcdc86f02d168008ea3d Mon Sep 17 00:00:00 2001 From: justin Date: Sat, 6 Jun 2026 00:22:59 -0500 Subject: [PATCH] security: harden nginx TLS ciphers (drop SHA-1 CBC -> HIPAA/NIST clean, still A+); document ImmuniWeb free badge + PCI/HIPAA/NIST/GDPR compliance --- docs/vm-security-hardening.md | 28 ++++++++++++++++++++++++++++ 1 file changed, 28 insertions(+) diff --git a/docs/vm-security-hardening.md b/docs/vm-security-hardening.md index 1535593..da0503d 100644 --- a/docs/vm-security-hardening.md +++ b/docs/vm-security-hardening.md @@ -58,3 +58,31 @@ Two layers, installed as a persistent, boot-enabled systemd service covers it, but compose-level `127.0.0.1:PORT:PORT` is cleaner. - k8s API (6443) / kubelet (10250): now firewalled; if remote kubectl is ever needed, allow-list the specific admin source IP rather than reopening. + +## Free security badge / scanner (2026-06-06) + +Ran **ImmuniWeb Community Edition** SSL/TLS scan (free, embeddable seal + +live grade page) for performancewest.net. Results: +- **PCI DSS: fully compliant** (all cipher suites + protocols compliant). +- **HIPAA / NIST: compliant** after fix (see below). +- **GDPR: compliant.** Industry best practices: no issues. Post-quantum: + hybrid key-exchange supported. + +### TLS cipher hardening (made HIPAA/NIST perfectly clean) +ImmuniWeb flagged 1 of 9 cipher suites (the SHA-1 MAC CBC suites +`ECDHE-ECDSA-AES{128,256}-SHA`) as non-NIST/HIPAA. The nginx cipher list was +the broad `HIGH:!aNULL:!MD5` repeated across all PW server blocks. Replaced it +globally with an explicit modern list (ECDHE + GCM/CHACHA20 + SHA256/384 CBC, +**no SHA-1**). Verified: SHA-1 CBC suites no longer negotiate, GCM + TLS 1.3 +still work, site serves 200, and **Qualys SSL Labs still A+**. nginx config +backups moved to `/etc/nginx/backups/` (NOT in an include path). + +### Trust badges we can legitimately display (for TrustStrip.astro) +- **Qualys SSL Labs A+** (verify link: ssllabs.com/ssltest) +- **SecurityHeaders.com A** +- **ImmuniWeb: PCI DSS / HIPAA / NIST / GDPR compliant TLS** (seal + report) +- **Payments by Stripe (PCI DSS Level 1)** +- **256-bit TLS, HSTS preloaded** +- **Hosted in a SOC 2 Type II compliant data center** +TODO: TrustedSite (ex-McAfee SECURE) free tier needs a signup to get the +daily-scan trustmark image - add later if an image seal is wanted.