Amelioring the security of your website

[msrrkusrccom]

It has a very poor mark (F) in the Mozilla Observatory https://observatory.mozilla.org/analyze.html?host=specdb.markasoftware.com

• [ ] Content Security Policy Content Security Policy (CSP) header not implemented
• [ ] HTTP Public Key Pinning HTTP Public Key Pinning (HPKP) header not implemented
• [ ] HTTP Strict Transport Security HTTP Strict Transport Security (HSTS) header not implemented
• [ ] (⚠️ CRITICAL ⚠️) Redirection Does not redirect to an https site
• [ ] Referrer Policy Referrer-Policy header not implemented
• [ ] Subresource Integrity Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
• [ ] X-Content-Type-Options X-Content-Type-Options header not implemented
• [ ] X-Frame-Options X-Frame-Options (XFO) header not implemented
• [ ] X-XSS-Protection X-XSS-Protection header not implemented

[markasoftware]

I kind've hate to say this but security doesn't really matter for this site. Nobody is entering any important data such as passwords or credit card numbers, so there's nothing for a hacker to steal. The worst case scenario is a hacker could do an MITM attack and redirect users to some other site or something, but why would they?

[markasoftware]

Additionally, the host I'm using, netlify, doesn't allow fixing any of this without enabling HSTS, which i don't want to do because some other stuff I run doesn't use https. But thanks for the issue anyways.

[markasoftware]

Ok, I went ahead and enabled HSTS...it now gets a D https://observatory.mozilla.org/analyze.html?host=specdb.markasoftware.com the other stuff is not configurable and matters less.