Open cjyabraham opened 2 months ago
I have issues getting that report to load I found a couple of alternatives, but there may also be others worth exploring: https://www.hardenize.com/report/cncf.io/1713670549 https://www.immuniweb.com/websec/www.cncf.io/RT6VmvDP/
Missing:
1) HSTS Preloaded
I ran the CNCF website through this checker https://hstspreload.org/?domain=www.cncf.io https://hstspreload.org/?domain=cncf.io
2) Content Security Policy
Imparting a stricter control on what can embedded / included on our site. This could cause problems with the CNCF blog, which currently embeds content from many sources. But the blog is also where our site could be exploited, so some control could be good. We would need to discuss this and weight up the potential extra work involved.
This plugin seems to be recommended a lot for WP - https://wordpress.org/plugins/gd-security-headers/
Can also implement ourselves - Pantheon has some guidance.
CSP Evaluator - https://csp-evaluator.withgoogle.com
For monitoring CSP, https://report-uri.com (to hand off reporting and alerts)
3) DMARC
We would need to generate the DMARC DNS record, add it to our DNS (I think through https://dnsimple.com) and monitor it.
Reporting could be fed back to https://report-uri.com
From reading around, CSP is a large part of the security score, but this could also cause us the most problems with content. Let's discuss next steps on our call.
Let's improve this security score which currently gives us an F.