from Hacker News

MDN tool that tells you of security gaps in your website

by lilouartz on 7/4/24, 5:34 PM with 11 comments

  • by account42 on 7/5/24, 12:42 PM

    This gives my website a C (50 / 100) because:

    Content Security Policy (CSP) −25

    X-Content-Type-Options −5

    X-Frame-Options −20

    Yet it's just a simple static website without scripts, cookies or any other dynamic content. If you need to specficy whatever random heades WHATWG comes up with each year for a static site to be secure then the problem is the browser not the website.

    X-Content-Type-Options is in particular is 100% about browsers ignoring the spec and then making you set another header asking them to please reconsider.

    Referer is another thing that should be 100% fixed on the browser side instead of each website asking the browser to please not leak information to other websites.

    Then when you look at the scoring criteria [0] you see it even avards bonus points for setting cookies and using scripts as long as you do it in the currently fashionable way comapared to not using cookies/scripts at all. This is absolutely the wrong way around.

    [0] https://developer.mozilla.org/en-US/observatory/docs/tests_a...

  • by rascul on 7/5/24, 1:00 PM

    They removed features and made the URL worse.

    Edit: Figured I should point out that the old one had TLS and SSH stuff also, and the URL was https://observatory.mozilla.org.

  • by lilouartz on 7/4/24, 5:35 PM

    Seems like this tool is a bit under the radar, but it was extremely useful in identifying obvious security gaps.

  • by ziggyzecat on 7/5/24, 9:00 AM

    I was about to look for tools like this one. Please share if you know of others. Thank you.

  • by mediumsmart on 7/6/24, 4:14 AM

    I got an F for a static site and upgraded it to A+ considering 120 but ultimately settling for a comfortable 110/100 as good as it gets score. Thank you for this. I had no idea

  • by cowboylowrez on 7/8/24, 8:52 PM

    so my website pretty much is "hi" in index.html (two characters) and I got a "D". so to help me understand how to hack this installation, how can I use the websites evaluation to hack into it so I can understand the exploitation of the security holes I have obviously left open? Is there any guidance here?

  • by cqqxo4zV46cp on 7/5/24, 9:38 AM

    This tool was posted on HN within the last few days.

  • by hulitu on 7/8/24, 5:11 PM

    Seeing Microsoft and security in the same sentence makes me suspicious. /s