Increase security of hstspreload.org

[Kenneth-Barber]

Security Headers gives hstspreload.org a score of D for its use of security headers. Please get the score to A+. https://securityheaders.com/?q=hstspreload.org&followRedirects=on

The Qualys SSL Server Test points out that hstspreload.org still supports TLS 1.0, TLS 1.1, and several weak cipher suites within TLS 1.2. Please remove support for these. It also wouldn't hurt to set up OCSP stapling. https://www.ssllabs.com/ssltest/analyze.html?d=hstspreload.org

[Kenneth-Barber]

Please also add support for TLS 1.3 and OCSP stapling. This would improve both the security and the load time of the website.

[Kenneth-Barber]

The Qualys SSL Server Test now caps the score at B if TLS 1.0 and TLS 1.1 are still supported. Since hstspreload.org still supports these, it scores a B out of a maximum of A+.

[LoganDark]

I had no idea https://securityheaders.com existed. Along with that and SSL Labs, do you have any other useful tools that server operators can use to verify that their security is up-to-date?

[Kenneth-Barber]

There are many tools out there that you can learn about just by Google searching. That is how I learned about the ones that I am about to list. I am only listing free ones, but I'm sure that there are good paid options out there.

For security, there is:

• Mozilla Observatory
• ImmuniWeb® Community Edition (5 tools)
• JitBit SSL Check It also helps to look into tools that will test vulnerabilities (penetration testing) (i.e. try to hack your system) and not just check your system's configuration.

Even though you didn't ask for it, I might as well share some of my other web-related bookmarks.

For speed, there is Yellow Lab Tools and GTmetrix. For search engine optimization, there is Screaming Frog SEO Spider. For compatibility, there is webhint. To test a website's carbon footprint, there is Website Carbon. To find broken links, there is this and this. To check the markup of web documents, there is the W3C Markup Validation Service. To test if a website uses HTTP/2, use HTTP2.Pro.

As you can see, there are many things about a website that can be suboptimal. I hope that you find these links useful.