New Check for End-Of-Life SoftwareOctober 7th, 2019
You should be hiding your X-Powered-By and Server headers, but if you're not, we'll compare the versions you're leaking (if any) against our database of known deprecated/EOL/ or otherwise unsupported versions of software and we'll throw up an alert in the "bad" section. Since we already "punish" your score for leaking these headers, they currently have no impact on metrics -- so your score will stay the same as our last release.
Some More Changes...October 5th, 2019
Lots of small changes pushed yesterday and today:
- The headers section has been moved lower on the page, after the information blocks
- An indicator was added next to your score to show how much it has improved, or gotten worse, from the last scan
- I've built out an admin system to give me a bit more insight into how folks are using this site, how different versions are scoring and some actual analytics into failed scans (those that we can't complete if a site is down, etc)
- I've added the version of the Moz 500 sites that are showing up with your scores. They're still all at "1.00" right now, but I'm slowly getting through a stale version of the Alexa Top 1 Million Sites which will give me a lot more information
- Also: I'm tracking scan's return scores for each module I add, so I can get some good comparative intel into what sites are doing well and where some education will help.
- HSTS has no impact to sites not running on HTTPS. I used to short this out by giving 100% of points, but this was a bad approach, so expect non-HTTPS sites to slide further down the scoring.
- Cookie parameters had a minor affect on your score if you didn't have any cookies set (again, giving 100% of points). If you don't set cookies on your landing page, then your score may slightly go down to back off the erroneous points you recieved before.
- Iterated to version
3.3to reflect the fact that modules now have dynamic maximum weight scores and the score tuning mentioned here.
Minor Version BumpOctober 3rd, 2019
We just bumped the scanner version from
v3.2to address a misconfiguration issue in our HPKP module. Back in version 3.0, we removed the weight of HTTP Public Key Pinning (HPKP). For sites that did not use HTTPS, this module would be needed so it should have assigned the weighted score the same as the total score (both of which should be zero). Sadly, this module gave a "credit" of one point if you were not using HTTPS, so sites operating over HTTP would see a minimal score improvement. This issue was resolved and our scanner will be updated to ensure that the weighted score cannot exceed the modules' maximum score.
Requesting Sites DifferentlyJuly 27th, 2019
Originally, we made a quick
HEADrequest to your site, checked the headers, and reported. Some sites (like www.masterlock.com) handled methods they didn't desire correctly with a
HTTP 405 Method Not Implemented. Others (like www.bluehost.com) returned a
HTTP 406 Not Acceptable. I've tried a few different fixes for these sites, from updating the requiest headers to show the latest Firefox version, to changing to
Accept: */*. This didn't fix the issue for the 406 sites. I then tried changing the request method from
GETand I started getting valid
HTTP 200 OKresponses. Because of this, I've changed the request system ongoing to use
GETand I've also iterated the version of the scans from v3.0.0 to v3.1.0. Your scores may be impacted, so check often!
Major Scanning / Scoring RewriteJuly 4th, 2019
The original version of this site focused heavily on getting the content from the site and outputting suggestions. Scoring information gamifys security and creates additional motivation to improve your scoring. The previous version of the site worked in such a way that any "good" status was 10 points, and "improve" was 5, and any "bad" was a 0. Since headers have varying importance levels, and configuration options of those headers can greatly improve or reduce the effectiveness of a header, it only made sense to allow more dynamic scoring.
Rewrite ScannerThe scanner was implemented in such a way that improving the codebase was a mess. It was a demonstration piece that became useful. The entire backend of this site was rewrote to use a series of modules that can control their own point systems and output data about a header. This modularity makes improving a single module much easier and will only allow better scanning in the future.
- Due to waning support of HPKP, this header has no impact on your site score
- Expect-CT, while technically in an expired draft, is geared to replace it. Some weight was given to this header.
- 🤷Expect-Staple seems like it might be something, but most anything about it seems to be from 2017. I won't build this one in here until I see something solid about how it should be implemented and then I can test for a way to implement it.
- We will disregard protocol provided and check HTTPS first, then HTTP. Your score will be hit pretty hard if you're only serving over HTTP
- We added require-sri to our CSP, and added Expect-CT header to our site. There's no point dispensing advice if we can't follow it!
- For those sites implementing
Content-Security-Policy-Report-Only, you will recieve a minor bump in scoring. Full scoring can be achieved by using
- Sites that set cookie(s) on pageload will now be checked for the
Secure(on HTTPS sites),
Future ChangesCurrently, we only check that you're using specfic headers, and a few parameters within them. The goal is to build out full parameter audit as well which will give you the best idea how you can improve your security.
Remember that your score probably will change when we make these changes. Some sites have improved in score, others have actually went down in score. We've also rebracketted the "score words" that quantify the number (Meh, Fail, etc). These have become more strict.