search

mozilla / http-observatory-cli

The command line tool for the HTTP Observatory
Mozilla Public License 2.0
90 stars 11 forks source link

I want more points! ;-) #2

Closed freddyb closed 8 years ago

freddyb commented 8 years ago

Not using any external scripts, I get a score of 110.

Results are cached from 2h0m30s ago; use -r to rescan.

Score: 110 [A+]
Modifiers:
    [  +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000)
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process

Using external scripts with SRI gets them 11 points.

Results are cached from 2h0m27s ago; use -r to rescan.

Score: 111 [A+]
Modifiers:
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
    [  +5] Subresource Integrity (SRI) is implemented and all scripts are loaded securely
    [  +1] HTTP Public Key Pinning (HPKP) header set to less than 15 days (1296000)

Why is using external scripts (with SRI) better than not using external scripts at all? Sure, showing off you know SRI is a cool thing. But not relying on third-party domains for scripts (think availability) would be even better, no?

april commented 8 years ago

I try to use positive point things pretty sparingly, as a way to encourage people to try out new things to improve security. Although they might not be "more secure" per se, they move forward the state of knowledge on the internet, so I therefore feel like it's important for them to get a bonus.

For example, is X-Frame-Options: DENY (0 points) any less secure that using frame-ancestors 'none'? Not really, it's just that one is the way forward and I want to encourage people to use these methods.

Note that you get +5 whether you load scripts from external origins or the same origin, as long as you use SRI.

zakius commented 6 years ago

I don't seem encouraged to use SRI by not being awarded points due to lack of scripts TBH

And even if I had any I'd rely clearly on my own host, actually the same one as main website, using subdomain to serve them cookieless, and generating hashes for them is a useless hassle (since anyone who can modify these scripts can modify also my templates) so why bother? (ok, I get that someone may be just too lazy or too short on time to do so, but does it justify overhead in served HTML?)