In the last few months I’ve made a few changes to security protocols on this site. Some things I’ve already written about, and others I’ve just done quietly out of personal curiosity.

CAA
My certificates are issued by Amazon, I just added @ 172800 IN CAA 0 issue "amazon.com" to the DNS record.
DNSSEC
My domain provider is Gandi.net and it turned out this was a one-click option in their dashboard.
TLS 1.3 1.2 with modern ciphers
Included by default with Cloudfront from 2020 onwards, and tick the option for TLSv1.2_2021 in the distribution settings to drop support for outdated cipher suites.
HSTS with other security headers
This was a little more tricky to achieve with cloudfront, but in principle adding HTTP headers isn’t difficult with any server software.

I used to be of the opinion that static sites did not need encryption. Evidently I’ve since been persuaded otherwise, and here are the benefits of better security measures:

Aside from introducing some imperceptible amount of latency, none of this makes a visible difference to the site or how you experience it. Just enjoy the feeling of assured confidence.

All of that is just to encrypt the connection. The server itself can still be compromised, except in my case it’s just object storage so there isn’t much of an attack surface. Someone can still run a DDoS attack on the site, although cloudfront scales quickly and has some kind of built-in protection.

I would have fully expected each of these things to be a real pain, and yet, I had no major problems. I’m not doing anything complicated with this site, everything is relatively simple, and security is easy.