I think step 1 is to evaluate your actual exposure. What are you seeing in terms of hits? Maybe add a notification email for each hit. Doesn't stop someone from seeing the info, but would at least let you know your actual exposure--or when you should consider changing things up.
If a basic passcode (make it simple, just a PIN or a few characters, not a full username/password) is too onerous, which I'm not sure I think it is, then maybe you bake it into the URL itself as a subdomain/virtual host. Example: https://pin123.mymedical.info - the key would be to only render if the hostname matches. This would actually be pretty easily - e.g., TLS-only, SNI required (SNI support can now be considered ubiquitous), no fallback, preventing access just by IP address. -----Original Message----- From: Hardware [mailto:[email protected]] On Behalf Of Winterlight Sent: Thursday, November 21, 2019 1:51 PM To: Hardware Group <[email protected]> Subject: [H] Security I own a domain and hosting account that is hung on Godaddy. I have a sub domain that has to do with personal medical information. I created it because I live alone and if something were to happen all necessary information is on that sub domain index web page. I don't use passwords or encryption for this page because if I am brought in the ER somebody needs to look at my dog tag and use the address to bring up my info. It is the KISS principle. I use a robots.txt file on both the main and sub domain to avoid searches, and the fact that somebody would have to know the sub domain address in-order to bring it up which is unlikely .... or that is my theory. I think we have some web developers in the collective so please give me your thoughts. There is always going to be a risk but is this good enough. Thanks w
