Example Project:

• I built my personal website using WordPress, deployed as a Docker container running on a Raspberry Pi 5. This demonstrates lightweight containerization and self-hosting capabilities on ARM-based hardware.
• My domain, sylvesterzareba.com, is managed through Cloudflare (Free Plan) with several security enhancements:
  • TLS 1.3 enforced (with weak ciphers disabled) – I configured Cloudflare to only accept TLS 1.3 connections while disabling legacy and weak cipher suites (e.g., RSA, 3DES, and older AEAD modes). This ensures that only modern, strong encryption algorithms are used. Disabling weak ciphers is critical because attackers can exploit downgrade attacks or cryptographic weaknesses in outdated ciphers to decrypt or tamper with traffic. By enforcing TLS 1.3 with strong ciphers only, the connection is both secure and future-proof.
  • HTTP Strict Transport Security (HSTS) – Enforcing HSTS ensures that browsers only connect to my site over HTTPS, even if a user attempts to use HTTP. This prevents protocol downgrade attacks and cookie hijacking attempts through man-in-the-middle interception.
  • Zero Trust Tunnel (Cloudflared) – Instead of exposing my Raspberry Pi via static IP or port forwarding, I implemented Cloudflare Tunnels. Cloudflared is installed on my Docker host (Raspberry Pi 5), either directly on the OS or within its own Docker container, providing a secure outbound-only tunnel to Cloudflare’s edge. This reduces attack surface and eliminates the need for inbound firewall rules.
  • DNSSEC enabled – DNSSEC (Domain Name System Security Extensions) protects against DNS spoofing and cache poisoning by digitally signing DNS records, ensuring that domain resolutions are authentic and untampered.
  • Custom WAF rule applied – I configured a Web Application Firewall (WAF) rule to block access attempts to the WordPress admin URI path. This mitigates brute-force and automated bot attacks targeting the admin interface, reducing exposure to common WordPress exploits.

Together, these configurations showcase my ability to apply defense-in-depth principles: hardening network communication (TLS 1.3 with strong ciphers + HSTS), minimizing attack surface (Zero Trust Tunnel with Cloudflared), protecting DNS integrity (DNSSEC), and filtering malicious traffic at the edge (WAF).

Verification Tools:

• You can check DNSSEC status using Verisign DNSSEC Analyzer.
• You can check TLS protocol version, HSTS enforcement, and cipher settings using Qualys SSL Labs Test.

More projects coming soon.