BT

Mozilla's Observatory Website Security Analysis Tool Available

| by David Iffland Follow 4 Followers on Aug 31, 2016. Estimated reading time: 2 minutes |

Mozilla has launched a new website security analysis tool, Observatory, in the hopes of encouraging developers and sys admins to boost their website security configurations.

The premise is simple: enter the URL of a website and the tool will connect and analyze the HTTP headers, providing a numerical score and letter grade. There are a number of properties that the site looks at and for each one a negative score modifier is imposed depending on the severity of the problem. The top level checks are:

  • Cookies
  • Cross-origin Resource Sharing (CORS)
  • Content Security Policy
  • HTTP Public Key Pinning
  • HTTP Strict Transport Security
  • Redirections
  • Subresource Integrity
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

According to scoring details from Mozilla, each site starts with a score of 100 and loses or gains points depending on its configuration:

All websites start with a baseline score of 100, and then receive penalties or bonuses from there. Although the minimum score is 0, there is no maximum score. Currently, the highest possible score in the HTTP Observatory is 130. Note that although both the letter grade ranges and modifiers are essentially arbitrary, they are based on feedback from industry professionals on how important passing or failing a given test is likely to be.

For example, in the CORS test, a site with CORS headers but restricted to specific domains receives no negative points for that criteria. However, if the same site allows all domains while using a CORS XML file, a negative 50 points are applied; the largest such negative modifier.

Observatory is broken down into a core library, a CLI, and a web interface. The CLI lets developers script the scoring of their website into a test suite or deployment logic. For more casual observers, the web interface has an input box for the website address as well as some options. The tool can also reach out to other security analyzers such as securityheaders.io and hstspreload.appspot.com to provide more in depth coverage.

On the website, each category has a link to Mozilla's documentation on the topic where developers can find solid guidance on how to best implement the security practices. Mozilla's guidance on CORS says:

[CORS information] should not be present unless specifically needed. Use cases include content delivery networks (CDNs) that provide hosting for JavaScript/CSS libraries and public API endpoints. If present, they should be locked down to as few origins and resources as is needed for proper function.

The Observatory site itself receives an A+ with a score of 120 while mozilla.org receives a D+ with a score of 40. The project is open source and available on GitHub.

Rate this Article

Adoption Stage
Style

Hello stranger!

You need to Register an InfoQ account or or login to post comments. But there's so much more behind being registered.

Get the most out of the InfoQ experience.

Tell us what you think

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread
Community comments

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Allowed html: a,b,br,blockquote,i,li,pre,u,ul,p

Email me replies to any of my messages in this thread

Discuss

Login to InfoQ to interact with what matters most to you.


Recover your password...

Follow

Follow your favorite topics and editors

Quick overview of most important highlights in the industry and on the site.

Like

More signal, less noise

Build your own feed by choosing topics you want to read about and editors you want to hear from.

Notifications

Stay up-to-date

Set up your notifications and don't miss out on content that matters to you

BT