Static Site Security

TL;DR

Even a website with only static HTML and images can be vulnerable. Focus on secure hosting, content integrity checks, and preventing unwanted modifications. Regular scans are also important.

1. Secure Your Hosting Provider

1. Choose a reputable host: Look for providers known for security best practices (e.g., regular updates, firewalls).
2. HTTPS is essential: Use Let’s Encrypt or your provider’s SSL/TLS certificate service to encrypt all traffic.

   sudo certbot --nginx -d yourdomain.com

3. Strong passwords & 2FA: Protect your hosting account with a strong, unique password and enable two-factor authentication wherever possible.
4. Limit access: Only grant necessary permissions to users accessing the hosting environment.

2. Content Integrity Checks

1. Subresource Integrity (SRI): Use SRI tags for all external scripts and stylesheets loaded from CDNs or other sources. This verifies that files haven’t been tampered with.

   <script src="https://example.com/library.js" integrity="sha384-xxxxxxxxxxxxxxxxxxxxxxxxxxxxx" crossorigin="anonymous"></script>

2. Regular File Scanning: Implement a process to regularly scan your static files for unexpected changes.
   • Checksums/Hashes: Generate checksums (e.g., using md5sum or sha256sum) of your original files and store them securely. Compare these against the current files on the server to detect modifications.

     md5sum index.html

   • Automated Scans: Use tools like clamscan (for malware) or custom scripts to automate this process.

3. Prevent Unauthorised Modifications

1. File Permissions: Ensure appropriate file permissions are set on your server.
   • Files should generally be read-only for the webserver user.
   • Directories should have execute permission only for necessary users.
2. Disable Directory Listing: Prevent attackers from browsing your website’s directory structure.

   Options -Indexes

   (Add this to your .htaccess file or server configuration.)

3. Input Validation (if any dynamic elements): Even with static content, if you have *any* forms or client-side scripting that interacts with the server (e.g., for contact forms processed via a third-party service), validate all input to prevent injection attacks.

4. Regular Security Scans

1. Vulnerability Scanning: Use online vulnerability scanners (e.g., Sucuri SiteCheck, Qualys SSL Labs) to identify potential weaknesses.
2. Static Analysis Tools: If you’re using any build processes or pre-processors for your HTML/CSS, use static analysis tools to check for common security issues.

5. Content Delivery Network (CDN) Considerations

1. Reputable CDN: Choose a well-known and trusted CDN provider.
2. CDN Configuration: Configure your CDN securely, including proper caching rules and access controls.
3. Origin Protection: Protect your origin server from direct access to prevent bypassing the CDN’s security features.