Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Monday August 29 2016, @05:03AM   Printer-friendly
from the will-it-be-bloated? dept.

Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.

The tool, named "Observatory," was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.

Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.

[...] "Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory's tests, don't panic — just take a look at its recommendations and consider implementing them to make your site more secure," King said.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 1, Informative) by Anonymous Coward on Monday August 29 2016, @05:23AM

    by Anonymous Coward on Monday August 29 2016, @05:23AM (#394476)

    Host: soylentnews.org
    Scan ID #: 1479308
    Test Time: August 29, 2016 12:22 AM
    Test Duration: 2 seconds

    Score: 40/100
    Tests Passed: 6/10

    Starting Score:    0  points
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  

    Total Score:   1  
  • (Score: 1, Funny) by Anonymous Coward on Monday August 29 2016, @05:39AM

    by Anonymous Coward on Monday August 29 2016, @05:39AM (#394484)

    There you have it. If SN doesn't pass, the test is crap.

    • (Score: 0) by Anonymous Coward on Monday August 29 2016, @07:11AM

      by Anonymous Coward on Monday August 29 2016, @07:11AM (#394508)

      It is. Quite a few of the tests are for client-side pseudo-security (i.e. telling the browser that it's not allowed to do something, and pretending that every script kiddie uses an approved browser that does as told).

      I'm pretty sure my home server (offline at the moment, I'm at work) would get a low score because of not implementing these. The thing is, everything on my home server is static content, so even without headers telling the browser to do all sorts of things, nothing is going to happen, because even if the browser does try those things, the server is unable to honor the request.

      • (Score: 2) by coolgopher on Monday August 29 2016, @07:21AM

        by coolgopher (1157) on Monday August 29 2016, @07:21AM (#394512)

        Tried it against a http-only, static content site of mine. Got an F.

      • (Score: 2, Informative) by Anonymous Coward on Monday August 29 2016, @07:24AM

        by Anonymous Coward on Monday August 29 2016, @07:24AM (#394517)

        That this tool would get a false positive on the rare configuration of a purely static, javascript-free site is not meaningful. Recognize your own rarity.

        The intent of a tool like this is to catch the low-hanging fruit without giving a false sense of security due to false negatives. That doesn't make it crap. It makes it conservative.

      • (Score: 2) by NCommander on Monday August 29 2016, @12:40PM

        by NCommander (2) Subscriber Badge <michael@casadevall.pro> on Monday August 29 2016, @12:40PM (#394626) Homepage Journal

        While a browser is free to ignore security headers, in the case of XSS stuff, an attacker is injecting code into another site to make the victim's browser do X. Generally speaking, most people are going to be running a browser that will respect security headers.

        And the XSS stuff for SN is known; it was brought to our attention a week or so ago but I haven't had a chance to implement it as of yet. Notably, our dev site (observatory link [mozilla.org]) currently scores a B.

        --
        Still always moving