Before the end of April 2019, I plan to do some work and experiments on the forums, since this is the most active site I run. I hope
that it won't break anything, but I can't promise. Among these are:
- Upgrading to phpBB 3.2.5 (or whatever is current when I upgrade)
- Adding Content-Security-Policy (CSP) headers to limit from where your browser can pull resources
- Adding a Feature-Policy header
- Adding a CAA DNS record to prevent certificate authorities other than those allowed from issuing certs
- (Maybe) Add an Expect-CT header to trigger the browser to make sure the site's certificate is in published certificate transparency logs
- Set up header reporting so I can see errors
My goal here is first to get some basic practical experience with these while improving security while you're visiting the forums. A secondary goal is to improve your privacy and experience. For example, I plan to use the Feature-Policy header to disable camera, microphone, and payment APIs, as well as media autoplay. The first three are entirely about potential compromise of the forums (which would likely happen through PHP code changes while modifying headers would require root access), while the autoplay restrictions are a quality of life thing. Feature-Policy is still new and in development and no browser completely supports all of it, so that is the most likely to cause issues.
I'll provide more updates as things happen so you can report any issues more effectively. If you run into any questions or problems, send them my way.
If I show up at your door, chances are you did something to bring me there.