====== Exquisite Security ======

<grid>
<col sm="10">
Protecting the Exquisite community is paramount to us, on every level. This document highlights the more technical measures we have taken to secure the Mastodon instance.

==== High-level ====
  * We regularly patch and install updates,
  * We work through the least priviledge model,
  * We use encryption wherever possible,
  * Processes are thoroughly isolated,
  * The security is continuously monitored.

</col>
<col sm="2">
{{ :infra:security.png?nolink |}}
</col>
</grid>

<grid>
<col sm="6">
=== Server ===

  * The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST),
  * The storage on the server is fully encrypted (using ''AES-XTS-256''),
  * The server solely runs Mastodon and the required stack, thus preventing additional attack surface.
</col>
<col sm="6">
=== Web front-end ===

  * Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS),
  * TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and robust ciphers,
  * OCSP stapling is enabled,
  * TLS session tickets are disabled (at least until Nginx fixes this properly).
</col>
</grid>
<grid>
<col sm="6">
=== Networking ===

  * The server itself is strictly firewalled (using ''pf(8)''), both egress and ingress - on a daemon/service level,
  * Internal service communication is encrypted (eg: Mastodon is configured to connect to the local PostgreSQL server using TLS).
</col>
<col sm="6">
=== Etc ===

  * Backups are made every 24 hours, using a 'pull mechanism'. The Mastodon server does NOT have access to the backup repository,
  * SSH is hardened (PKI authentication, MFA via hardware tokens),
  * SSH ciphers are hardened.
</col>
</grid>

====== Account security ======
<grid>
<col sm="12">
The security of your account is paramount to us. However, it is only as strong as the weakest link. In this article, we explain the basics of account security.

  * Use a strong and unique password, preferably by using a password manager
  * Enable multifactor authentication
  * Make sure your contact address is kept up to date

</col>
</grid>

==== Passwords ====

Use a strong and unique password for your account. Mind you: this is not exclusive to Exquisite or Mastodon. We highly recommend use of a password manager - as this helps to create and securely store a larger number of credentials and sensitive information. If you are completely new to a password manager: a solid recommendation is either [[https://keepassxc.org|KeePassXC]] or [[https://bitwarden.com|Bitwarden]]. The latter has a selfhostable server implementation in Rust, dubbed [[https://github.com/dani-garcia/vaultwarden|Vaultwarden]]

==== MFA ====

MFA - or Multi-Factor Authentication - drastically limits the consequences of a stolen password. It adds a different and unique factor to the authentication process. TOTP is the most often seen second factor; it generates a time limited token of six characters.

Mastodon supports both TOTP and FIDO2 / WebAuthn. The latter is more secure, but requires a hardward token. In order to setup TOTP or FIDO2, please [[https://exquisite.social/settings/two_factor_authentication_methods|follow this link]].

=== Recommendations for TOTP ===

  * **Android:** [[https://getaegis.app|Aegis]]
  * **iOS/iPadOS:** [[https://raivo-otp.com|Raivo]]

==== Direct messages ====

Direct messages on Mastodon are not end-to-end encrypted. Therefor, they should not be relied on to exchange sensitive communication.