Ok, so recent IPv6 enablement didn’t went smooth. Even though I’ve added the AAAA record and I was able to ping6(8) from my FreeBSD machine, I forgot about configuring the firewall. Sadly, I know very little about pf.conf(5), so I used a ready config, changed the network interface, and added ssh. Voila, IPv6 works! Thanks for letting me know about this bug on my side, Marco.

Then I added Domain Name System Security Extensions. It’s a security mechanism that cryptographically secures against man-in-the-middle attacks on the DNS level. I’ve enabled it in Vultr and copy-pasted a few records to Namecheap. Voila, it works!

The last thing I’ve added was proposed by chr bre - HTTP Strict Transport Security. This tells the browser always to use HTTPS, effectively blocking usage of non-encrypted HTTP. All I was needed to do was to add a header to NGINX config for server listening on port 443.

After some testing, I’ve added preload to the header and submitted it to Google. This submission will add this site to a list preloaded in Chrome, and other browsers, removing the first non-encrypted fetch of data. Of course, if I break HTTPS here, the site will stop working but what the hell.

I now have a 100% rating on internet.nl, which is cool.