Hardy at 19:28, 16 June 2025

2025-06-16T19:28:18Z

← Older revision		Revision as of 19:28, 16 June 2025
Line 44:		Line 44:
	\|Front-page IP widget bensmomcraft.com		\|Front-page IP widget bensmomcraft.com
	\|}		\|}

			=== Extra security you get just by sitting behind Cloudflare ===
			{\| class="wikitable"
			!Layer (edge-side)
			!What it brings to the party
			!Source
			\|-
			\|'''Anycast CDN & unmetered DDoS shield'''
			\|All HTTP/S traffic first lands on Cloudflare’s 310-city Anycast network. Their autonomous systems absorb and disperse L3/L4/L7 floods (unlimited, even on the free tier).
			\|cloudflare.comdevelopers.cloudflare.com
			\|-
			\|'''Cloudflare Web Application Firewall (WAF)'''
			\|A rule-set that blocks OWASP-Top-10 attacks (SQL-i, XSS, file-inclusion, etc.) and lets you add custom “if…then” rules from the dashboard.
			\|cloudflare.comdevelopers.cloudflare.com
			\|-
			\|'''Bot Fight Mode'''
			\|One-click setting that fingerprints headless browsers & known bad ASNs, then rate-limits or puzzles them—handy for vote-spam and credential-stuffers.
			\|developers.cloudflare.comdevelopers.cloudflare.com
			\|-
			\|'''Universal SSL + automatic renewals'''
			\|Cloudflare issues and rotates DV certs for every host under the domain, so you never chase Let’s Encrypt cron jobs again. Pair it with “Always HTTPS” and HSTS for end-to-end TLS.
			\|developers.cloudflare.comdevelopers.cloudflare.com
			\|}

			==== Why it matters for BensMomCraft.com ====

			* '''Edge filtering before NamelessMC ever sees traffic''' – SQL-i probes against the forum or shop get nixed at the perimeter, sparing your PHP backend and database.
			* '''Global POPs mean lower latency for players''' – Static assets (CSS/JS/avatars) are cached close to EU/Asia visitors, shaving seconds off first load.
			* '''DDoS peace-of-mind''' – If someone targets <code>play.bensmomcraft.com</code> or the website because of your spicy “Ben’s a cuck” tracks, Cloudflare’s network takes the blast without extra cost or config.
			* '''No extra keys to store''' – OAuth log-ins, Tebex checkout, and NamelessMC sessions still flow through the same TLS tunnel; Cloudflare just manages the certs.

Hardy: Created page with "{| class="wikitable" !Layer !What it does !Where you can spot it |- |'''TLS everywhere''' |The site forces an automatic HTTP→HTTPS redirect, so all traffic is encrypted in-transit. |Hitting `http://bensmomcraft.com` bounces straight to `https://…` bensmomcraft.com |- |'''OAuth log-ins''' |Instead of making you create yet another password, you can authenticate with Discord or Google—both hand you back via the..."

2025-06-16T19:25:37Z

Created page with "{| class="wikitable" !Layer !What it does !Where you can spot it |- |'''TLS everywhere''' |The site forces an automatic HTTP→HTTPS redirect, so all traffic is encrypted in-transit. |Hitting <code><nowiki>http://bensmomcraft.com</nowiki></code> bounces straight to <code><nowiki>https://…</nowiki></code> bensmomcraft.com |- |'''OAuth log-ins''' |Instead of making you create yet another password, you can authenticate with Discord or Google—both hand you back via the..."

New page

{| class="wikitable"
!Layer
!What it does
!Where you can spot it
|-
|'''TLS everywhere'''
|The site forces an automatic HTTP→HTTPS redirect, so all traffic is encrypted in-transit.
|Hitting <code><nowiki>http://bensmomcraft.com</nowiki></code> bounces straight to <code><nowiki>https://…</nowiki></code> bensmomcraft.com
|-
|'''OAuth log-ins'''
|Instead of making you create yet another password, you can authenticate with Discord or Google—both hand you back via the standard OAuth 2.0 flow, meaning the site never handles your credentials.
|Login / Register screens show the social buttons bensmomcraft.combensmomcraft.com
|-
|'''NamelessMC hardening'''
|The site runs the NamelessMC CMS, which ships with:
• bcrypt-hashed passwords
• built-in CSRF tokens on every form
• optional Google reCAPTCHA for registration
• optional per-group or per-user TOTP 2FA
|NamelessMC docs highlight 2FA & reCAPTCHA settings docs.namelessmc.comgithub.com and its April 2025 security-patch release notes namelessmc.com
|-
|'''Legal & privacy notices'''
|Dedicated '''Terms & Conditions''', '''Privacy Policy''', and '''Cookie Notice''' links in the footer satisfy basic GDPR/CCPA transparency and give you opt-in tracking consent.
|Footer links on every page bensmomcraft.com
|-
|'''Cookie-banner opt-in'''
|Visitors from regions that require it see a banner before non-essential cookies are set, reducing regulatory exposure. (It’s the stock NamelessMC “Cookie Notice” module.)
|Footer + first-load banner trigger bensmomcraft.com
|-
|'''Isolated payments'''
|All rank/keys purchases jump to '''Tebex.io''', which is PCI-DSS compliant and runs its own fraud filters—your site never touches card data.
|“Shop Now” button points to Tebex bensmomcraft.com
|-
|'''Account-consent gate'''
|New users must tick “I Agree” to the T&C before registration is accepted, adding an explicit contract layer.
|Register page checkbox bensmomcraft.com
|-
|'''Role-based permissions'''
|NamelessMC lets you granularly restrict StaffCP access, forum moderation, API tokens, etc., minimising blast-radius if a staff account is compromised.
|(Exposed in StaffCP; documented in NamelessMC docs) docs.namelessmc.com
|-
|'''Non-default game port'''
|The public server address (<code>play.bensmomcraft.com:25620</code>) isn’t the vanilla 25565 port, which deters the laziest mass-scan botnets.
|Front-page IP widget bensmomcraft.com
|}

Security Features - Revision history

Hardy at 19:28, 16 June 2025