I'm quite OCD about making my site as secure as possible even it's just another static blog. I have used this site before .. I just wish I could do without inline CSS. Other related sites:...
I'm quite OCD about making my site as secure as possible even it's just another static blog. I have used this site before .. I just wish I could do without inline CSS.
Ouch, the original rating for the web services I've set up and configured were a solid F. I only had HTTPS, redirects, and some firewall rules in place. Not anymore, though--within about 30...
Ouch, the original rating for the web services I've set up and configured were a solid F. I only had HTTPS, redirects, and some firewall rules in place. Not anymore, though--within about 30 minutes of researching the various headers and the options available, it's A+ for everything!
This is a fantastic tool with lots of recommended actions and in-depth information available, and it really helps point out things that you might not know to account for. Thank you for sharing this!
Prior to this I only knew about ssllabs. Looks like I have some work to do on getting my websites more compliant in the near future. Thanks for posting this!
Prior to this I only knew about ssllabs. Looks like I have some work to do on getting my websites more compliant in the near future. Thanks for posting this!
I actually looked into this, and apparently it is intentional: As a browser maker, we need to make it possible for people with outdated browsers to be able to reach our site in order to download a...
I actually looked into this, and apparently it is intentional: As a browser maker, we need to make it possible for people with outdated browsers to be able to reach our site in order to download a new copy of Firefox.
If mozilla.org was some kind of web app, I'd be more concerned. As a home page that links to downloads for new browsers, and has to deal with a rather unique chicken-and-egg problem that most sites do not need to deal with, it makes perfect sense.
Tildes however is getting an A+ because the page that is being tested is the static page that tells you that tildes is still invite only. It's not really testing the site, even if read-only,...
Tildes however is getting an A+ because the page that is being tested is the static page that tells you that tildes is still invite only.
It's not really testing the site, even if read-only, because it cannot access it.
dblohm7 already answered but I'd like to add that because there is a tool, doesn't mean that every website needs to be A+. The company i'm currently working for have a main public facing website...
dblohm7 already answered but I'd like to add that because there is a tool, doesn't mean that every website needs to be A+.
The company i'm currently working for have a main public facing website that don't store or analyse use data, don't provide data that could be abused and the public information on it are free to be reused.
It gets a D if I remember. It's fine. The only thing I would like our IT manager to fix, is the protection against iframe encapsulation, but even that, it's just kind of my obsession.
Well ouch. My sites didn't come out of that very well. Admittedly web server configuration isn't my day job, but damn. And here I thought I was so fancy forcing HTTPS and running fail2ban and ufw...
Well ouch. My sites didn't come out of that very well. Admittedly web server configuration isn't my day job, but damn. And here I thought I was so fancy forcing HTTPS and running fail2ban and ufw and with SSH on a non-standard port with root disabled.
How do you all feel about the published site stats as a vector for bad actors to discover people's websites who are failing? I feel strongly that Don't include my site in the public results should...
How do you all feel about the published site stats as a vector for bad actors to discover people's websites who are failing? I feel strongly that Don't include my site in the public results should be true by default.
I'm quite OCD about making my site as secure as possible even it's just another static blog. I have used this site before .. I just wish I could do without inline CSS.
Other related sites:
Ouch, the original rating for the web services I've set up and configured were a solid F. I only had HTTPS, redirects, and some firewall rules in place. Not anymore, though--within about 30 minutes of researching the various headers and the options available, it's A+ for everything!
This is a fantastic tool with lots of recommended actions and in-depth information available, and it really helps point out things that you might not know to account for. Thank you for sharing this!
tildes.net got an A+, nice
Prior to this I only knew about ssllabs. Looks like I have some work to do on getting my websites more compliant in the near future. Thanks for posting this!
mozilla.org only gets a b+
I actually looked into this, and apparently it is intentional: As a browser maker, we need to make it possible for people with outdated browsers to be able to reach our site in order to download a new copy of Firefox.
If mozilla.org was some kind of web app, I'd be more concerned. As a home page that links to downloads for new browsers, and has to deal with a rather unique chicken-and-egg problem that most sites do not need to deal with, it makes perfect sense.
oh, that makes sense. I thought it was odd that as the makers of the tool, they didn't get an a+
Google gets a D-
Tildes however is getting an A+ because the page that is being tested is the static page that tells you that tildes is still invite only.
It's not really testing the site, even if read-only, because it cannot access it.
dblohm7 already answered but I'd like to add that because there is a tool, doesn't mean that every website needs to be A+.
The company i'm currently working for have a main public facing website that don't store or analyse use data, don't provide data that could be abused and the public information on it are free to be reused.
It gets a D if I remember. It's fine. The only thing I would like our IT manager to fix, is the protection against iframe encapsulation, but even that, it's just kind of my obsession.
Well ouch. My sites didn't come out of that very well. Admittedly web server configuration isn't my day job, but damn. And here I thought I was so fancy forcing HTTPS and running fail2ban and ufw and with SSH on a non-standard port with root disabled.
How do you all feel about the published site stats as a vector for bad actors to discover people's websites who are failing? I feel strongly that Don't include my site in the public results should be true by default.