This website doesn’t handle highly sensitive or personal information.
Nevertheless, we have implemented many security measures to protect your data, making our website far more secure than most other websites you use.
The simple explanation
Website security is a highly technical topic, so here is a simplified summary of what we’ve done:
Instead of coming up with our own half-baked security solutions, we follow well-established best practices and use systems that have been developed by security experts.
That’s really all there is to it. But if you want the gritty details, read on!
Credit card security
We never store your credit card data. Instead, we send it securely to Stripe (learn more).
Stripe is certified as a PCI Service Provider Level 1, which is the most stringent level of certification available. They handle billions of dollars of transactions every year.
We use a VPS from a reputable web host
Our website runs on a Digital Ocean virtual private server (VPS).
Most websites run on shared hosting, where many websites are installed on the same server. This is less secure because a security failure of one website can compromise all the others.
With a VPS, this worry is eliminated. Although we don’t have the whole physical computer to ourselves, we do have a completely separate logical system, which is just as good.
We use ServerPilot to keep our server secure
Maintaining a secure server is a highly specialised skill, and requires constant vigilance. You need to know immediately when a new attack surfaces, and you need to patch the server as soon as possible.
ServerPilot is a security service run by experts. Once installed on a server, it configures a secure environment, and then automatically applies security updates when they appear.
ServerPilot stays on top of the latest security threats, so we don’t have to. After all, I’m a badminton coach, not a sysadmin!
For example, ServerPilot rapidly applied security fixes when the Heartbleed, Shellshock, POODLE, and GHOST vulnerabilities were discovered.
We encrypt all traffic using TLS
Most websites serve their pages over plain HTTP. This is roughly the same as shouting a conversation across a crowded bar. Potentially, anyone can listen in on the conversation.
We serve all our pages over HTTPS, using transport layer security (TLS) to encrypt all traffic. TLS is the newer, better version of SSL.
We use a strong content security policy, which provides defence-in-depth against a wide variety of attacks.
We get an A+ grade from the Mozilla Observatory. This is a service that checks the configuration of your server against strict, modern standards. At the time of writing, out of 2.3 million scanned sites, 90% failed and 0.4% scored A+.
We keep your password safe
We never store your password itself. Instead, we store a hash of your password. This is not the same thing as encryption, because hashing is a one-way process that cannot be reversed.
We use Bcrypt, which is a strong hash. Bcrypt hashes are computationally impractical to
break, even using dedicated password-cracking hardware such as a GPU cluster.
We also use a salt with our hashes, which defends against rainbow table attacks. The salt is unique per user.
Remember that weak passwords can easily be guessed or even broken by brute force. It’s your responsibility to choose strong passwords and to avoid reusing them across different sites. I recommend using a password manager like LastPass to make this easy.