Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.
The tool, named "Observatory," was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.
Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.
[...] "Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory's tests, don't panic — just take a look at its recommendations and consider implementing them to make your site more secure," King said.
(Score: 2, Informative) by Anonymous Coward on Monday August 29 2016, @07:24AM
That this tool would get a false positive on the rare configuration of a purely static, javascript-free site is not meaningful. Recognize your own rarity.
The intent of a tool like this is to catch the low-hanging fruit without giving a false sense of security due to false negatives. That doesn't make it crap. It makes it conservative.