====== Exquisite.social Security ======

<grid>
<col sm="10">
Protecting the Exquisite community is paramount to us, on every level. This document highlights the more technical measures we have taken to secure the Mastodon instance.

==== High-level ====
  * We regularly patch and install updates,
  * We work through the least priviledge model,
  * We use encryption wherever possible,
  * Processes are thoroughly isolated,
  * The security is continuously monitored.

</col>
<col sm="2">
{{ :infra:security.png?nolink |}}
</col>
</grid>

<grid>
<col sm="6">
=== Server ===

  * The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST),
  * The storage on the server is fully encrypted (using ''AES-XTS-256''),
  * The server solely runs Mastodon and the required stack, thus preventing additional attack surface.
</col>
<col sm="6">
=== Web front-end ===

  * Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS),
  * TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and robust ciphers,
  * OCSP stapling is enabled,
  * TLS session tickets are disabled (at least until Nginx fixes this properly).
</col>
</grid>
<grid>
<col sm="6">
=== Networking ===

  * The server itself is strictly firewalled (using ''pf(8)''), both egress and ingress - on a daemon/service level,
  * Internal service communication is encrypted (eg: Mastodon is configured to connect to the local PostgreSQL server using TLS).
</col>
<col sm="6">
=== Etc ===

  * Backups are made every 24 hours, using a 'pull mechanism'. The Mastodon server does NOT have access to the backup repository,
  * SSH is hardened (PKI authentication, MFA via hardware tokens),
  * SSH ciphers are hardened.
</col>
</grid>