infra:socialsec [Exquisite.network]

Protecting the Exquisite community is paramount to us, on every level. This document highlights the more technical measures we have taken to secure the Mastodon instance.

We regularly patch and install updates,
We work through the least priviledge model,
We use encryption wherever possible,
Processes are thoroughly isolated,
The security is continuously monitored.

Server

The OS and software is updated every week (Thursdays, 22:00 - 23:59 CEST),
The storage on the server is fully encrypted (using AES-XTS-256),
The server solely runs Mastodon and the required stack, thus preventing additional attack surface.

Web front-end

Any plain-text (HTTP) traffic is redirected to the TLS secure counterpart (HTTPS),
TLS (or more specifically: TLSv1.2 and TLSv1.3) is used for transit encryption - with HSTS and robust ciphers,
OCSP stapling is enabled,
TLS session tickets are disabled (at least until Nginx fixes this properly).

Networking

The server itself is strictly firewalled (using pf(8)), both egress and ingress - on a daemon/service level,
Internal service communication is encrypted (eg: Mastodon is configured to connect to the local PostgreSQL server using TLS).

Etc

Backups are made every 24 hours, using a 'pull mechanism'. The Mastodon server does NOT have access to the backup repository,
SSH is hardened (PKI authentication, MFA via hardware tokens),
SSH ciphers are hardened.