Closed freddyb closed 8 years ago
I try to use positive point things pretty sparingly, as a way to encourage people to try out new things to improve security. Although they might not be "more secure" per se, they move forward the state of knowledge on the internet, so I therefore feel like it's important for them to get a bonus.
For example, is X-Frame-Options: DENY
(0 points) any less secure that using frame-ancestors 'none'
? Not really, it's just that one is the way forward and I want to encourage people to use these methods.
Note that you get +5 whether you load scripts from external origins or the same origin, as long as you use SRI.
I don't seem encouraged to use SRI by not being awarded points due to lack of scripts TBH
And even if I had any I'd rely clearly on my own host, actually the same one as main website, using subdomain to serve them cookieless, and generating hashes for them is a useless hassle (since anyone who can modify these scripts can modify also my templates) so why bother? (ok, I get that someone may be just too lazy or too short on time to do so, but does it justify overhead in served HTML?)
Not using any external scripts, I get a score of 110.
Using external scripts with SRI gets them 11 points.
Why is using external scripts (with SRI) better than not using external scripts at all? Sure, showing off you know SRI is a cool thing. But not relying on third-party domains for scripts (think availability) would be even better, no?