Transparency matters. Here is how we protect this community and your data.
✅HTTPS Enforced
All traffic is encrypted. HTTP requests redirect to HTTPS automatically.
✅TLS 1.3
Latest TLS protocol with forward secrecy. Older insecure protocols disabled.
✅HSTS Preload
Strict Transport Security: max-age=63072000, includeSubDomains, preload. Browsers never connect via plain HTTP.
✅ECDSA Certificate (Let's Encrypt)
Modern elliptic curve certificate, auto-renewed. Faster and more secure than RSA.
✅HTTP/2
Multiplexed connections for faster page loads.
✅Content-Security-Policy
Restricts scripts, styles, and resources. Prevents XSS and data injection.
✅X-Content-Type-Options: nosniff
Prevents MIME type sniffing attacks.
✅X-Frame-Options: SAMEORIGIN
Prevents clickjacking by blocking cross-origin iframe embedding.
✅Referrer-Policy: strict-origin-when-cross-origin
Controls referrer information shared with external sites.
✅Permissions-Policy
Disables: camera=(), microphone=(), geolocation=(), payment=()
✅Server Header Masked
Technology stack hidden. No X-Powered-By header.
✅bcrypt Password Hashing (cost 12)
Passwords are salted and hashed. Cannot be recovered even if the database is compromised.
✅Email Verification Required
New accounts must verify their email before posting.
✅Custom Math CAPTCHA
Self-built, HMAC-signed. No Google dependencies, no third-party tracking.
✅Brute-Force Protection (Fail2ban)
5 failed login attempts in 5 minutes triggers a 1-hour IP ban.
✅Rate Limiting
Throttling on login, registration, password reset, and post creation.
✅Two-Factor Authentication (2FA)
TOTP-based 2FA available for all accounts.
✅EU Data Residency (Germany)
All data stored on servers in Germany. No data leaves the EU.
✅Daily Backups (7-day retention)
Automated daily database backups via cron.
✅Zero Third-Party Tracking
No Google Analytics, no Facebook Pixel, no tracking cookies. Session cookie only.
✅GDPR Compliant
Privacy Policy, cookie consent, right to erasure, minimal data collection.
✅Minimal Data Collection
Only username, email, and content you post. No behavioral tracking.
✅PHP 8.4 (Latest Stable)
All security patches applied. Actively maintained.
✅Sandboxed PHP-FPM
Restricted open_basedir. Cannot access other sites on the server.
✅HTTP Method Restriction
Only GET, POST, PUT, PATCH, DELETE allowed. All others blocked.
✅Sensitive Files Protected
Config, env, and VCS files blocked from web access.
✅Directory Listing Disabled
Server directories cannot be browsed.
This page reflects the actual security configuration of community.elvatis.com.
We practice what we preach.
