Lessons learned from recent server and website updates

Content-Security-Policy

Regarding the CSP header, the prefetch-src entry is deprecated and should be removed. More at Mozilla!

Nginx and HTTP/3

The Nginx version in Ubuntu 22.04 is pretty old (1.18) and has reached EOL yet. For receiving newer releases one must add the Nginx repository from nginx.org to the package manager and remove the old install. Nginx distinguishes a stable branch (only security updates) with even minor release numbers and a mainline branch with odd minor release numbers. The latter also gets functionality updates. I employed this guide to update my servers.

The Ubuntu package of the mainline branch delivers 1.25 at the time being which comes with inbuilt HTTP/3 support. It is still marked as experimental but some community members use it in production already. I have decided to do so, too, in order to gain some experience. Alas, only a minority of my visitors use it already despite of browser support being close to complete.

It appeared that several HTTP/3 checkers were faulty or not online anymore. My screenshot was taken from Litespeed’s HTTP/3 Check.

WordPress

WordPress (6.2.2) has a health check now (German: Website-Zustand) but some of its messages appear spurious. I employ the ActivityPub plugin so you can subscribe to authors with fediverse clients like Mastodon. For ingram-braun.net, where I am the only author, simply put ib@ingram-braun.net in the search field of your client. Health check does not stop to complain about a faulty webfinger reply although I managed to subscribe to authors in real life.