Bablab websites' security
Website security goes beyond the sensitivity of the pictures in a portfolio website. Hacked websites might serve attackers to infect its visitors and often get automatically blacklisted and removed from search results. Most chances are that a visitor warned or infected by your site is a lost one.
All Bablab websites have SSL/TLS
TLS (Transport Layer Security), and its predecessor SSL are cryptographic protocols that secures communication over computer networks. TLS secures your portfolio website by encrypting the connection between the browser and the web server, preventing unauthorized parties from seeing or altering data in transmission, and protects against impersonation by requiring web server identity (a valid certificate).
- Subdomain websites (e.g. andy.bablab.com) are covered by Bablab’s wildcard certificate.
- Websites with connected domain names (e.g. chemallanos.com), are automatically issued a dedicated certificate, free of charge.
Our TLS implementation receives an “A+” rating from Qualys SSL Labs.
Moreover, having HSTS headers (HTTP Strict Transport Security) enabled, forces a secure connection - HTTPS only.
Our CMS (Content Management System) is a proprietary web application, developed by Bablab with no fingerprint, nor any fingerprinted external resource.
Most CMSs have plugins, themes, modules and integrations which are exposing vulnerabilities to attackers. Maybe one of the most known cases is that of Wordpress plugins and Wordpress themes that continue to be a serious threat in WordPress websites to this day.
Content Security Policy
Bablab websites enforce CSP (Content Security Policy), which defines the allowed sources for each type of content (e.g. scripts, images), specifically designed to defend from XSS attacks (cross site scripting). It also controls browser's settings, from sandbox enforcement to the value of HTTP Referer header.
Cookies sent by Bablab's web application and Bablab's portfolio websites have the following attributes:
- Secure - Prevents browsers from sending cookies over an insecure connection.
- HttpOnly - Prevents client-side scripts to access the cookie by telling browsers to only transmit the cookie over HTTP(S).
- SameSite - Prevents CSRF attacks by not sending the cookies when the request comes from another website.