-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathobservatory.json
115 lines (115 loc) · 6.7 KB
/
observatory.json
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
{
"status": 1,
"data": {
"grade": "A+",
"response_headers": {
"Date": "Mon, 06 Feb 2023 15:59:30 GMT",
"Content-Type": "text/html; charset=utf-8",
"Content-Length": "300",
"Connection": "keep-alive",
"CF-Ray": "795517e6dba8383a-FRA",
"Accept-Ranges": "bytes",
"Age": "0",
"Cache-Control": "public, max-age=0, s-maxage=300",
"Content-Encoding": "gzip",
"ETag": "\"e7c139c592f17eb43a3d161261feedfe\"",
"Last-Modified": "Fri, 03 Feb 2023 11:13:07 UTC",
"Strict-Transport-Security": "max-age=315360000; includeSubdomains; preload",
"Vary": "Accept-Encoding",
"CF-Cache-Status": "HIT",
"content-security-policy": "default-src 'self'; font-src 'self'; img-src 'self'; object-src 'none'; script-src 'self'; style-src https://cdn.jsdelivr.net",
"referrer-policy": "same-origin",
"x-content-type-options": "nosniff",
"x-frame-options": "DENY",
"x-xss-protection": "1; mode=block",
"Server": "cloudflare",
"alt-svc": "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400"
},
"tests": {
"content-security-policy": {
"expectation": "csp-implemented-with-no-unsafe",
"result": "csp-implemented-with-no-unsafe",
"description": "Content Security Policy (CSP) implemented without 'unsafe-inline' or 'unsafe-eval'",
"link": "https://infosec.mozilla.org/guidelines/web_security#content-security-policy",
"hint": "Content Security Policy (CSP) can prevent a wide range of cross-site scripting (XSS) and clickjacking attacks against your website."
},
"cookies": {
"expectation": "cookies-secure-with-httponly-sessions",
"result": "cookies-not-found",
"description": "No cookies detected",
"link": "https://infosec.mozilla.org/guidelines/web_security#cookies",
"hint": "Using cookies attributes such as Secure and HttpOnly can protect users from having their personal information stolen."
},
"contribute": {
"expectation": "contribute-json-only-required-on-mozilla-properties",
"result": "contribute-json-only-required-on-mozilla-properties",
"description": "Contribute.json isn't required on websites that don't belong to Mozilla",
"link": "",
"hint": ""
},
"cross-origin-resource-sharing": {
"expectation": "cross-origin-resource-sharing-not-implemented",
"result": "cross-origin-resource-sharing-not-implemented",
"description": "Content is not visible via cross-origin resource sharing (CORS) files or headers",
"link": "https://infosec.mozilla.org/guidelines/web_security#cross-origin-resource-sharing",
"hint": "Incorrectly configured CORS settings can allow foreign sites to read your site's contents, possibly allowing them access to private user information."
},
"public-key-pinning": {
"expectation": "hpkp-not-implemented",
"result": "hpkp-not-implemented",
"description": "HTTP Public Key Pinning (HPKP) header not implemented",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-public-key-pinning",
"hint": "HTTP Public Key Pinning (HPKP) binds a site to a specific combination of certificate authorities and/or keys, protecting against the unauthorized issuance of certificates."
},
"redirection": {
"expectation": "redirection-to-https",
"result": "redirection-to-https",
"description": "Initial redirection is to HTTPS on same host, final destination is HTTPS",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-redirections",
"hint": "Properly configured redirections from HTTP to HTTPS allow browsers to correctly apply HTTP Strict Transport Security (HSTS) settings."
},
"referrer-policy": {
"expectation": "referrer-policy-private",
"result": "referrer-policy-private",
"description": "Referrer-Policy header set to \"no-referrer\", \"same-origin\", \"strict-origin\" or \"strict-origin-when-cross-origin\"",
"link": "https://infosec.mozilla.org/guidelines/web_security#referrer-policy",
"hint": ""
},
"strict-transport-security": {
"expectation": "hsts-implemented-max-age-at-least-six-months",
"result": "hsts-implemented-max-age-at-least-six-months",
"description": "HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)",
"link": "https://infosec.mozilla.org/guidelines/web_security#http-strict-transport-security",
"hint": "HTTP Strict Transport Security (HSTS) instructs web browsers to visit your site only over HTTPS."
},
"subresource-integrity": {
"expectation": "sri-implemented-and-external-scripts-loaded-securely",
"result": "sri-not-implemented-but-no-scripts-loaded",
"description": "Subresource Integrity (SRI) is not needed since site contains no script tags",
"link": "https://infosec.mozilla.org/guidelines/web_security#subresource-Integrity",
"hint": "Subresource Integrity protects against JavaScript files and stylesheets stored on content delivery networks (CDNs) from being maliciously modified."
},
"x-content-type-options": {
"expectation": "x-content-type-options-nosniff",
"result": "x-content-type-options-nosniff",
"description": "X-Content-Type-Options header set to \"nosniff\"",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-content-type-options",
"hint": "X-Content-Type-Options instructs browsers to not guess the MIME types of files that the web server is delivering."
},
"x-frame-options": {
"expectation": "x-frame-options-sameorigin-or-deny",
"result": "x-frame-options-sameorigin-or-deny",
"description": "X-Frame-Options (XFO) header set to SAMEORIGIN or DENY",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-frame-options",
"hint": "X-Frame-Options controls whether your site can be framed, protecting against clickjacking attacks. It has been superseded by Content Security Policy's <code>frame-ancestors</code> directive, but should still be used for now."
},
"x-xss-protection": {
"expectation": "x-xss-protection-1-mode-block",
"result": "x-xss-protection-enabled-mode-block",
"description": "X-XSS-Protection header set to \"1; mode=block\"",
"link": "https://infosec.mozilla.org/guidelines/web_security#x-xss-protection",
"hint": "X-XSS-Protection protects against reflected cross-site scripting (XSS) attacks in IE and Chrome, but has been superseded by Content Security Policy. It can still be used to protect users of older web browsers."
}
}
}
}