Change Log

New Check for End-Of-Life Software

October 7th, 2019
You should be hiding your X-Powered-By and Server headers, but if you're not, we'll compare the versions you're leaking (if any) against our database of known deprecated/EOL/ or otherwise unsupported versions of software and we'll throw up an alert in the "bad" section. Since we already "punish" your score for leaking these headers, they currently have no impact on metrics -- so your score will stay the same as our last release.

Some More Changes...

October 5th, 2019
Lots of small changes pushed yesterday and today:

Minor Version Bump

October 3rd, 2019
We just bumped the scanner version from v3.1 to v3.2 to address a misconfiguration issue in our HPKP module. Back in version 3.0, we removed the weight of HTTP Public Key Pinning (HPKP). For sites that did not use HTTPS, this module would be needed so it should have assigned the weighted score the same as the total score (both of which should be zero). Sadly, this module gave a "credit" of one point if you were not using HTTPS, so sites operating over HTTP would see a minimal score improvement. This issue was resolved and our scanner will be updated to ensure that the weighted score cannot exceed the modules' maximum score.

Requesting Sites Differently

July 27th, 2019
Originally, we made a quick HEAD request to your site, checked the headers, and reported. Some sites (like handled methods they didn't desire correctly with a HTTP 405 Method Not Implemented. Others (like returned a HTTP 406 Not Acceptable. I've tried a few different fixes for these sites, from updating the requiest headers to show the latest Firefox version, to changing to Accept: */*. This didn't fix the issue for the 406 sites. I then tried changing the request method from HEAD to GET and I started getting valid HTTP 200 OK responses. Because of this, I've changed the request system ongoing to use GET and I've also iterated the version of the scans from v3.0.0 to v3.1.0. Your scores may be impacted, so check often!

Major Scanning / Scoring Rewrite

July 4th, 2019
The original version of this site focused heavily on getting the content from the site and outputting suggestions. Scoring information gamifys security and creates additional motivation to improve your scoring. The previous version of the site worked in such a way that any "good" status was 10 points, and "improve" was 5, and any "bad" was a 0. Since headers have varying importance levels, and configuration options of those headers can greatly improve or reduce the effectiveness of a header, it only made sense to allow more dynamic scoring.

Rewrite Scanner

The scanner was implemented in such a way that improving the codebase was a mess. It was a demonstration piece that became useful. The entire backend of this site was rewrote to use a series of modules that can control their own point systems and output data about a header. This modularity makes improving a single module much easier and will only allow better scanning in the future.

Other Changes

Future Changes

Currently, we only check that you're using specfic headers, and a few parameters within them. The goal is to build out full parameter audit as well which will give you the best idea how you can improve your security.

Remember that your score probably will change when we make these changes. Some sites have improved in score, others have actually went down in score. We've also rebracketted the "score words" that quantify the number (Meh, Fail, etc). These have become more strict.