Follow

Is HTTP Basic enough to protect a personal website I'd want to keep off the public eye?

It's just HTML and CSS. No JS. I might go ahead and disallow *any* JavaScript at all using a CSP too.

Do these two measures go far enough?

@celia I would like to know too. I turned on everything that MDN recommended for CSP and added request, rate limit on nginx as well as activated fail2ban to catch bot IPs. But it’s public. I was looking into setting up wireguard tunnel for using some services without exposing it to the internet but haven’t done anything on it.

@thumb My use case is a personal blog that I hand out to some friends, and they access it with a common username/password.

I want to keep the how-to-access-this-privately as simple as possible behind the scenes.

Do your services not depend on JS?

@celia They do but it’s on a pi which is not exposed. Yet.

@celia Assuming you are using HTTPS to protect the credentials (as they are sent in plaintext) and a strong enough password, then yes. Note that there is no way to log out (except maybe clearing website data from browser), so be careful of logging in on a shared browser.

@nicd Wonderful, thanks for that last tip -- this is the kind of FYI I was hoping to get. :)

So it's not fool-proof and getting my friends to comply will be a hard task. I need to factor that in.

@thumb

@celia it's based on how important data you have there. I'm using certificate authentication on sites I want to keep secret mostly and I used http authentication maybe twice. With certificates I can ensure from which computer and person can connect to my site (in company) as he can't pass password to another person and can't export private key from it's computers....

@emma My friends are all non-tech. I cannot use public/private keypairs at all.

Is there something that you know that will make it easy for the average person?

I considered building a small backend that is capable of creating and authenticating user accounts -- but that's no improvement over Basic Auth as the password can be passed around anyway.

@celia You can generate certificate from them and you can entrust one person there to install certificate from them (yes its most secure to sign requests and then pass public key to users but no for non technicla person)

For companies that we outsourcing i installing certificates trough remote desktop to users that need to have access.

There is nice GUI app -> XCA which can help you to create certificates.

@celia Basic Auth over HTTPS should be fine for this use case. Use individual usernames/passwords for each user, not shared credentials. Are you operating the web server yourself?

@christopher Yes, the web server will be in my control. Thanks for the tip on uinque username/password pairs.

I am also considering encrypting my data at rest (on the server), sending it so (encrypted), and decrypting it in the browser with maybe a tiny bit of JS. This would be symmetrical, so no public/private keypairs.

I haven't thought that system through, but I'd also like for this info to be protected at rest in case of an intrusion.

@celia You might also want to make sure there are no hyperlinks to the personal website from other public websites, otherwise the website address may be discoverable through search engines.

It wouldn't hurt to set up a robots.txt line to disallow crawling for all content.

User-agent: * Disallow: /

@celia

security.stackexchange.com/que

Standard reply: "it depends" 🤓

- For pictures of your cat: yes
- For copies of your passport and your mortgage, I wouldn't (leave it for longer then needed)

#security is a headache

@celia Basic authentication does what it claims to do, which is only serve files to people who have a valid username/password. The authentication credentials are not encrypted unless you also use https, though, so depending on what you're protecting and from whom, you might want to add a Lets Encrypt cert.

@celia yes, provided that your connection is encrypted (i.e. you use TLS so nobody can eardrop the connection traffic).

@celia
It is totally OK. The benefit is, it comes directly from the Web server, no Web code involved, so no self-made bugs 😎

Sign in to participate in the conversation
Fosstodon

Fosstodon is an English speaking Mastodon instance that is open to anyone who is interested in technology; particularly free & open source software.