mozilla / advocacy.mozilla.org

https://advocacy.mozilla.org
Mozilla Public License 2.0
204 stars 34 forks source link

improve HTTP Observatory score for advocacy (petitions) #263

Open floatingatoll opened 8 years ago

floatingatoll commented 8 years ago

We did our best on improving petitions.mozilla.org at https://bugzilla.mozilla.org/show_bug.cgi?id=1310006 but the redirect to advocacy means that we're capped at B- for WebOps-side things.

HTTP Observatory Report: advocacy.mozilla.org

Score Rule                           Description
  -20 content-security-policy        Content Security Policy (CSP) implemented unsafely.
  -10 strict-transport-security      HTTP Strict Transport Security (HSTS) header set to less than six months (15768000).
   -5 contribute                     Contribute.json file missing from root of website.
   -5 subresource-integrity          Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https.
    0 public-key-pinning             HTTP Public Key Pinning (HPKP) header not implemented.
    0 x-xss-protection               X-XSS-Protection header set to "1; mode=block".
    0 cookies                        No cookies detected.
    0 cross-origin-resource-sharing  Content is not visible via cross-origin resource sharing (CORS) files or headers.
    0 x-content-type-options         X-Content-Type-Options header set to "nosniff".
    0 redirection                    Initial redirection is to https on same host, final destination is https.
    5 x-frame-options                X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive.

Score: 65
Grade: B-

Full Report Url: https://observatory.mozilla.org/analyze.html?host=advocacy.mozilla.org
floatingatoll commented 8 years ago

I advise prioritizing strict-transport-security and contribute before tackling the heavier SRI/CSP stuff.