Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.
The tool, named "Observatory," was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.
Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.
[...] "Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory's tests, don't panic — just take a look at its recommendations and consider implementing them to make your site more secure," King said.
(Score: 1, Informative) by Anonymous Coward on Monday August 29 2016, @05:23AM
Host: soylentnews.org
Scan ID #: 1479308
Test Time: August 29, 2016 12:22 AM
Test Duration: 2 seconds
Score: 40/100
Tests Passed: 6/10
(Score: 1, Funny) by Anonymous Coward on Monday August 29 2016, @05:39AM
There you have it. If SN doesn't pass, the test is crap.
(Score: 0) by Anonymous Coward on Monday August 29 2016, @07:11AM
It is. Quite a few of the tests are for client-side pseudo-security (i.e. telling the browser that it's not allowed to do something, and pretending that every script kiddie uses an approved browser that does as told).
I'm pretty sure my home server (offline at the moment, I'm at work) would get a low score because of not implementing these. The thing is, everything on my home server is static content, so even without headers telling the browser to do all sorts of things, nothing is going to happen, because even if the browser does try those things, the server is unable to honor the request.
(Score: 2) by coolgopher on Monday August 29 2016, @07:21AM
Tried it against a http-only, static content site of mine. Got an F.
(Score: 2, Informative) by Anonymous Coward on Monday August 29 2016, @07:24AM
That this tool would get a false positive on the rare configuration of a purely static, javascript-free site is not meaningful. Recognize your own rarity.
The intent of a tool like this is to catch the low-hanging fruit without giving a false sense of security due to false negatives. That doesn't make it crap. It makes it conservative.
(Score: 2) by NCommander on Monday August 29 2016, @12:40PM
While a browser is free to ignore security headers, in the case of XSS stuff, an attacker is injecting code into another site to make the victim's browser do X. Generally speaking, most people are going to be running a browser that will respect security headers.
And the XSS stuff for SN is known; it was brought to our attention a week or so ago but I haven't had a chance to implement it as of yet. Notably, our dev site (observatory link [mozilla.org]) currently scores a B.
Still always moving