SearX service security information

You should be aware of the fact that the service is served through cloudflare CDN. With full(strict) mode encryption, i.e. end-to-end encrypted from cloudflare to the server, and in turn encrpyted from clients(browser) to cloudflare.

The service is no longer served through Cloudflare CDN for the convenience of Tor users. However, cloudflare's CDN service would be utilized should the site be blocked by the GFW.

From the server to clients

TLS v1.3 (LetsEncrypt)

Available Ciphers:

TLS v1.3

嗨,这些看起来高端的名词对不懂的人其实没意义吧?TLSv1.3 只有前三种 cipher,服务器从三者中自动选择,也无法去掉特定 cipher。但你如果不懂,看到上面看似十分专业的信息,就会对安全性有更大的信心了,不是么?

Headers

add_header X-Frame-Options SAMEORIGIN always;
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'none'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self' https://overpass-api.de; img-src 'self' data: https://*.tile.openstreetmap.org; frame-src https://www.youtube-nocookie.com https://player.vimeo.com https://www.dailymotion.com https://www.deezer.com https://www.mixcloud.com https://w.soundcloud.com https://embed.spotify.com" always; # location /
add_header Content-Security-Policy "upgrade-insecure-requests; default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; form-action 'self'; font-src 'self'; frame-ancestors 'self'; base-uri 'self'; connect-src 'self'; img-src 'self'" always; # location /morty

add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff" always;

Scan Results

SSL Server Test: A (not A+ since TLSv1.2 support is dropped) https://www.ssllabs.com/ssltest/analyze?d=searx.geistlib.xyz

HTTP Observatory: A+ https://observatory.mozilla.org/analyze/searx.geistlib.xyz

Morty

DO NOT TRY TO LOG IN INTO ANY ACCOUNT WHEN PROXIFIED THROUGH MORTY. Even if you trust me, I cannot guarentee that the server wouldn't be compromised.

不要试图在 Morty 的代理下登陆任何网站,即使你能信任我,我也不能够保证服务器不会被黑掉,明白?