Website / Web Application Security Is Hard
That’s just the way it is. One day everything is humming along nice, the next some jerk is framing your site capturing credentials from your users, that’s life.
Confession time. I’m one of those annoying security guys – the kind that has been doing this stuff for 20+ years – and I’m sometimes shocked to see the sheer amount of non-code things that need to be added to a web app to make it more resilient to attack. These go anywhere from server administration, to the web server, and down to the code itself, of course.
There’s so much about web security that even web administrators and developers don’t know, it would blow your mind. There are a lot of moving parts and sometimes you just need some help with it.
Hello, Mozilla Observatory!
Mozilla Observatory is a neat little project that takes a look at your website’s headers and then scores your site based on the presence (or not) of certain security headers. It also uses some third party scanners to add additional looks and evidence.
Now, a couple disclaimers… Having a high score (one of our sites has a score of 115/100, because we like extra credit) will not mean you’re 100% secure from all bad things ever. Also, leaving out a header here and there might be okay in your situation. No website is the same.
I like this project because its mission is clear and they give you very straightforward, actionable things you can do to bring your score up. This is something sorely missing from a wide array of security tools: what do I need to do, how do I do it, and why? I’m a fan.
Here’s a neat screenshot of our site that got some extra credit: