security: harden nginx TLS ciphers (drop SHA-1 CBC -> HIPAA/NIST clean, still A+); document ImmuniWeb free badge + PCI/HIPAA/NIST/GDPR compliance

docs/vm-security-hardening.md

@@ -58,3 +58,31 @@ Two layers, installed as a persistent, boot-enabled systemd service
   covers it, but compose-level `127.0.0.1:PORT:PORT` is cleaner.
 - k8s API (6443) / kubelet (10250): now firewalled; if remote kubectl is ever
   needed, allow-list the specific admin source IP rather than reopening.
+
+## Free security badge / scanner (2026-06-06)
+
+Ran **ImmuniWeb Community Edition** SSL/TLS scan (free, embeddable seal +
+live grade page) for performancewest.net. Results:
+- **PCI DSS: fully compliant** (all cipher suites + protocols compliant).
+- **HIPAA / NIST: compliant** after fix (see below).
+- **GDPR: compliant.** Industry best practices: no issues. Post-quantum:
+  hybrid key-exchange supported.
+
+### TLS cipher hardening (made HIPAA/NIST perfectly clean)
+ImmuniWeb flagged 1 of 9 cipher suites (the SHA-1 MAC CBC suites
+`ECDHE-ECDSA-AES{128,256}-SHA`) as non-NIST/HIPAA. The nginx cipher list was
+the broad `HIGH:!aNULL:!MD5` repeated across all PW server blocks. Replaced it
+globally with an explicit modern list (ECDHE + GCM/CHACHA20 + SHA256/384 CBC,
+**no SHA-1**). Verified: SHA-1 CBC suites no longer negotiate, GCM + TLS 1.3
+still work, site serves 200, and **Qualys SSL Labs still A+**. nginx config
+backups moved to `/etc/nginx/backups/` (NOT in an include path).
+
+### Trust badges we can legitimately display (for TrustStrip.astro)
+- **Qualys SSL Labs A+** (verify link: ssllabs.com/ssltest)
+- **SecurityHeaders.com A**
+- **ImmuniWeb: PCI DSS / HIPAA / NIST / GDPR compliant TLS** (seal + report)
+- **Payments by Stripe (PCI DSS Level 1)**
+- **256-bit TLS, HSTS preloaded**
+- **Hosted in a SOC 2 Type II compliant data center**
+TODO: TrustedSite (ex-McAfee SECURE) free tier needs a signup to get the
+daily-scan trustmark image - add later if an image seal is wanted.