Add security headers to site

konklone / shaaaaaaaaaaaaa

Check if a website has weak SHA-1 TLS certificates.

https://shaaaaaaaaaaaaa.com

BSD 3-Clause "New" or "Revised" License

207 stars 27 forks source link

Add security headers to site #85

Closed anand-bhat closed 8 years ago

anand-bhat commented 8 years ago

https://securityheaders.io/?q=https%3A%2F%2Fshaaaaaaaaaaaaa.com rates https://shaaaaaaaaaaaaa.com an 'E' due to the following missing headers:

X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Content-Security-Policy
Public-Key-Pins

konklone commented 8 years ago

Thanks, but I'm not super concerned about lacking those headers for this site. There is no idea of login or users, so no XSS vulnerabilities, and no destructive actions that users could be fooled into if the site were used in a malicious iframe. Content Type Options prevents MIME sniffing, which I also don't care about. CSP and HPKP are similarly not necessary.

I may add HPKP reporting at some point to test stuff out, but that's a separate issue.

anand-bhat commented 8 years ago

Fair enough, thanks for looking.