Well I'd didn't think I'd ever see kf called Zionist
Gabe Hoffman a devout Zionist President of Combat Antisemitism Now giving Money going to Kino and Kiwi. LOL couldn't be sucking more jew cock if they tried.
Can anybody provide a summary on the security protocols of his new website? How fucked is it?
They have a Let's encrypt SSL certificate, its hosted out of Malaysia using Cloudflare for DNS and DDOS protection.
Network & Infrastructure Security
CDN DDOS via Cloudflare 104.21.28.114, 172.67.145.227
Web Server is Lightspeed for the CMS with Open Resty install for some reason (retards)
HTTP2 and 3 are enabled
HTTPS Redirect is setup with 301 permanent
SSL/TLS
Certificate Issued by Let's Encrypt TLS 1.3 - TLS_AES_256_GCM_SHA384 (strong)
Certificate Coverage - Wildcard: *.snark.vegas + snark.vegas
Validity - May 16 – Aug 14, 2026 (90-day auto-renewal)
HSTS - NOT enabled (missing Strict-Transport-Security header) LOL
HTTP Security Headers
X-Frame-Options SAMEORIGIN Prevents clickjacking
X-Content-Type-Options nosniff Prevents MIME-type sniffing
Content-Security-Policy MISSING No CSP header detected
X-XSS-Protection MISSING No XSS protection header
Referrer-Policy MISSING No referrer policy set
Permissions-Policy MISSING No permissions policy
Strict-Transport-Security MISSING No HSTS
Application-Level Security
DragonByte Security Add-on - Active — sets xf_dbtechSecuritySession cookie (Secure + HttpOnly). Provides login session control, security alerts, brute-force protection, and password strength rules.
CSRF Protection - XenForo's built-in _xfToken system + xf_csrf cookie (Secure flag)
CAPTCHA - hCaptcha (invisible mode) on registration — sitekey: 0ad2aaa2-f54a-4136-8940-e3608fbc45cc
Password Rules - DBTech Security password strength enforcement on registration
Cookie Security - Session cookies use Secure and HttpOnly flags
Admin Panel - Accessible at /admin.php (returns 200 — login form, not exposed)
https://snark.vegas/admin.php
Theme & Framework
XenForo 2.3
XenBase Theme 2.3.4 (by ThemeHouse — dark style)
DragonByte Security - Active (product #345)
OzzModz Badges - Active
Security Gaps / Weaknesses
No HSTS header — The site doesn't enforce HTTPS at the browser level via Strict-Transport-Security. A user could theoretically be downgraded to HTTP on first visit before the 301 redirect kicks in.
No Content-Security-Policy — Without CSP, the site has reduced protection against XSS and code injection attacks.
No Referrer-Policy — Referrer information may leak to third-party sites.
No Permissions-Policy — Browser features (camera, mic, geolocation) aren't explicitly restricted.
No security.txt — No /.well-known/security.txt file for responsible disclosure.
Cloudflare is the main shield — Most of the heavy-lifting security (DDoS mitigation, bot protection, WAF rules) likely comes from Cloudflare rather than the application itself.