security posture

/security

Six defensive layers between the internet and your data — documented in full, with nothing to install and nothing to take on faith. Every claim on this page can be independently verified, and the panel on the right is your own browser doing exactly that, right now.

A+ · securityheaders.com A+ · SSL Labs A+ · Mozilla Observatory
your browser → itzgee.com · live headers

requesting…

defence in depth

Six layers, in order of contact.

Security here isn't one wall — it's a sequence of independent ones. An attacker has to beat every layer below, in order, without tripping the monitoring that watches all of them.

The edge

All public traffic terminates at a hardened edge before it ever reaches our hardware. Plain HTTP is refused with a redirect, TLS 1.2 is the floor with 1.3 preferred, and traffic is re-encrypted — and the origin certificate re-verified — on the private leg to the server.

  • TLS 1.3
  • HTTP refused at edge
  • origin cert validation

The origin

The web tier sends a strict Content Security Policy built on default-src none — nothing loads unless explicitly allowed, and no inline code exists anywhere on the site. HSTS instructs browsers to refuse insecure connections for two years. Version banners are suppressed.

  • CSP: default-src none
  • zero inline code
  • HSTS preload
  • no version disclosure

The containers

Every application runs in an isolated Docker container joined only to the internal networks it needs. Nothing is published directly to the internet; the reverse proxy is the single doorway. Host firewalls default-deny all unsolicited traffic on both servers.

  • isolated per-app containers
  • single proxied doorway
  • default-deny firewalls

The identity layer

One identity provider fronts every application — there are no per-app passwords to leak. Accounts exist by invitation only, and two-factor authentication is enrolled as part of account creation, not offered as an afterthought. Enrolment and recovery flows carry bot-resistant challenges.

  • Authentik SSO
  • invite-only
  • TOTP MFA at enrolment
  • bot-resistant flows

The mesh

The two sites communicate exclusively across an encrypted WireGuard tunnel with cryptographic peer identity — no passwords, no exposed login surface, forward-secret session keys refreshed every few minutes. Management interfaces exist only on the tunnel and loopback.

  • WireGuard
  • ChaCha20-Poly1305
  • forward secrecy
  • no public admin ports
how the mesh works, in depth →

The safety net

The secondary site pulls encrypted backups from the primary nightly — a pull model, so the primary holds no credentials to the backup store and a compromised primary cannot reach its own backups. Snapshots are AES-256 encrypted before leaving the source machine. A third off-site encrypted copy is being provisioned.

  • restic
  • AES-256 before transit
  • pull-based
  • third copy: provisioning

identity

One door, properly guarded.

Most breaches walk in through authentication. This platform's answer is to have exactly one authentication system — and make it uncompromising.

no public signup
Accounts are created by invitation. There is no registration form for bots to hammer and no self-service surface to abuse.
mfa from day one
Two-factor authentication (TOTP — authenticator app) is part of enrolment itself. No account has ever existed here without it.
one login, no password sprawl
Applications accept single sign-on exclusively. Local application passwords are disabled — there is one credential to protect, protected properly.
bot-resistant flows
Sign-in and recovery flows carry an invisible challenge that filters automated attacks without the traffic-light puzzles.
transactional email only
The platform emails you for enrolment, recovery and security events — nothing else. No marketing, ever.

data & privacy

UK-resident. No third-party trackers.

The honest answers to the questions that matter, stated plainly enough to be held against us.

where data lives
On our own hardware in two UK data centres — Coventry and Maidenhead. Encrypted backups stay within this footprint; an additional encrypted-before-upload off-site copy is being provisioned.
advertising & profiling
None, ever. No advertising pixels, no fingerprinting, no social embeds, no data brokers, and nothing that follows you to other websites.
analytics
Self-hosted only. Umami — an open-source, privacy-focused analytics tool — runs on our own UK hardware. It counts page views anonymously, sets no cookies, and sends nothing to any third party: Google, Meta and friends never hear about your visit.
cookies
This website sets none — and self-hosted Umami analytics won’t change that; it is cookieless by design. Authentication uses session cookies strictly necessary for login, issued by our own identity service on our own domain.
who can read your files
Services encrypt data at rest on our hardware, and backups are encrypted before they leave the machine. The off-site provider, when live, receives ciphertext it cannot decrypt.
what we can see
Standard operational logs — request metadata, service health, authentication events — kept for defence and debugging, not profiling. Analytics, once live, shows us page counts, not people.

threat model

What this design is built to stop.

Password stuffing / credential leaks

No public signup, no per-app passwords, mandatory MFA — a leaked password list has nothing here to match against.

Injected or malicious scripts (XSS)

The CSP forbids all inline code and every unlisted origin. A script that isn’t ours has nowhere to run.

Clickjacking / framing tricks

frame-ancestors none — this site cannot be embedded inside another page, full stop.

Downgrade / interception attacks

HSTS with a two-year lifetime means browsers refuse plain-HTTP connections outright, even on first click of an old link.

Attacks on the site-to-site link

The mesh has no login surface to attack and refreshes forward-secret keys every few minutes. Recorded traffic is worthless later.

Primary-site compromise reaching backups

Backups are pulled by the secondary. The primary holds no credentials to the backup store — it cannot delete or encrypt its own history.

verification

Don't take our word for it.

These three independent scanners audit this site live — each link runs a fresh scan against itzgee.com:

Prefer the terminal? Inspect the security headers yourself:

curl -sI https://itzgee.com | grep -iE 'strict|security-policy|x-frame|x-content'