Security on a website is a hundred small defaults set correctly. Most shared hosts set them somewhere between wrong and absent. This network ships with them on, documented, and boring.
If the front door of your site still does TLS 1.0 or exposes RC4, a bot found it three hours ago. Here, those options do not exist.
1.2 as fallback for very old clients, 1.3 preferred. Strong ciphers only. No downgrade handshake attacks available.
Qualys rating: A+Strict Transport Security with preload flag. Browsers refuse HTTP for your domain even before the first visit.
max-age 63072000Apex + every subdomain, auto rotated every 60 days. OCSP stapling enabled at the edge.
Auto rotation, always onCertificate Authority Authorization DNS records pin issuance to Let’s Encrypt only. No rogue cert can be issued.
CAA 0 issue letsencrypt.orgThese headers are the difference between a site that resists a stray script and one that drops its pants on first request.
Baseline CSP shipped with every site. Inline script eval disabled by default. Per site overrides for legitimate embeds.
SAMEORIGIN framing, strict MIME sniffing off. Clickjacking and content type confusion attacks simply do not land.
strict-origin-when-cross-origin on referrers. Camera, mic, geolocation disabled unless explicitly granted per site.
nginx limit_req on admin paths, login endpoints and form handlers. Brute force surface area shrinks to near zero.
Every site snapshot is restored in an isolated container once a quarter. Not as a drill, but as the canonical proof that the backup works. If the restore fails, the quarter does not close.
Snapshots use restic with per site encryption keys. Offsite storage lives in a separate region from the origin. The recovery target is under one hour for a full site replay, often well under.
RFC 9116 compliant security.txt served at /.well-known/security.txt. One stable inbox, signed PGP key if you want one, public acknowledgements if you prefer.
Report to security@thatwebhostingguy.com. First response within 24 hours. Acknowledged fixes posted with credit if you want it.
No bug bounty program, but a handwritten thank you note, a public thanks on the site, and a permanent place in the hall of fame if you find something serious.
Do not run active scans against production. Passive inspection, static analysis on published assets, and responsible proof of concept on your own vhost are always welcome.
The free audit checks TLS config, header posture, cert chain, CAA, CSP and backup claims. Most audits find at least one critical default missing.