Mozilla website Security Analysis tool Observatory released

Mozilla recently released a website security analysis tool called Observatory, which is designed to encourage developers and system administrators to enhance their website's security configuration.

The tool is very simple to use: Enter the Web site URL to access and analyze the site HTTP header, and then provide the security level (Tengyun technology ty300.com) that digital forms of scores and letters represent for site security. The tool analyzes a large number of security configurations, depending on the severity of the problem found, and the score is corrected by a deduction (Basic tutorial Qkxue.net). The main areas of the tool inspection include:

Cookies
Cross-origin resource sharing (CORS)
Content Security Policy
HTTP public key fixed (publicly key pinning)
HTTP Strict Transport Security
redirect
Child Resource Integrity (Subresource Integrity)
X-content-type-options
X-frame-options
X-xss-protection
Based on Mozilla's description of the scoring details, each site will receive a default of 100 points, followed by a specific configuration deduction or bonus points:

The benchmark for all sites is divided into 100 points, which are based on deduction or bonus points. The minimum is divided into 0 points, but the highest score has no upper limit. The current HTTP observatory theory can be up to 130. However, it is important to note that although the range of security classes represented by letters and the corrected scores are inherently random, the ratings are actually derived from industry experts ' feedback, which represents the likelihood that a website will fail to pass a test or test.

For example, in a cors test, a site that contains a cors header but is limited to a specific domain name will not be deducted, but if the same site allows all domain names while using the Cors XML file, it will deduct 50 points and 50 points is the maximum score that can be deducted from the correction score.

Observatory consists of a core library, a CLI, and a web interface. The CLI allows developers to incorporate scoring capabilities into test suites or deployment logic in a scripted way. For users who need only occasional use, you can enter Web site addresses and set other options on the Web interface. The tool can also invoke additional security analysis tools, such as Securityheaders.io and hstspreload.appspot.com, to provide more in-depth detection analysis.

On the tool's website, each category provides a link to a Mozilla-related topic document that developers can use to learn how to implement security policies in a better way. The Cors guide provided by Mozilla says:

[Cors information] should not be present unless explicitly required. Use cases for this type of information include hosting a content delivery network (CDN) for JAVASCRIPT/CSS libraries and exposing API endpoints. If such information is used, it must be locked to as little as possible, using absolutely necessary sources (origin) and resources.

The Observatory website itself received a A + and 120 points in the tool, while Mozilla.org scored d+ and 40 points. The project is open source and has been posted to GitHub.

The original: Mozilla's Observatory Website Security analysis Tool Available author David iffland

Mozilla website Security Analysis tool Observatory released