
HTTP Observatory: analyze your website and review available methods to secure it - based2
https://github.com/mozilla/http-observatory
======
rmdoss
Their description doesn't really match what they do:

"Observatory by Mozilla is a project designed to help developers, system
administrators, and security professionals configure their sites safely and
securely. "

All they check is if you have a few security headers and consider that
"secure".

There is a LOT more to website security than adding a few extra headers and
HTTPS to your site. Even if you get an A, it doesn't mean anything.

To give an example, Google gets a D, CloudFlare a D, Youtube a C+, etc..

~~~
elmigranto
> Google gets a D, CloudFlare a D, Youtube a C+

That is probably due to the non-trivial number of clients which don't support
modern stuff (old browser, etc.).

------
jvehent
Direct link to the live Observatory:
[https://observatory.mozilla.org/](https://observatory.mozilla.org/)

Example run on addons.mozilla.org:
[https://observatory.mozilla.org/analyze.html?host=addons.moz...](https://observatory.mozilla.org/analyze.html?host=addons.mozilla.org)

The Observatory measures site's compliance with the Web Security guidelines
[1] and the Server Side TLS guidelines [2]. It's primarily meant as a helper
for website developers and operators.

[1]
[https://wiki.mozilla.org/Security/Guidelines/Web_Security](https://wiki.mozilla.org/Security/Guidelines/Web_Security)

[2]
[https://wiki.mozilla.org/Security/Server_Side_TLS](https://wiki.mozilla.org/Security/Server_Side_TLS)

(disclaimer: I work on security at Mozilla)

~~~
quickben
Maybe it should be called it Https observatory?

I run http only site, I installed everything from scratch and minimized all
attack surfaces. I got F because I'm lacking https stuff.

But maybe I'm missing something. If you don't deal with user logins and no
sessions. Do I need to get https?

Or is this site just assuming things?

~~~
jvehent
You need https to guarantee data in transit is not being modified between your
server and web clients. ISPs, for instance, have a bad tendency to inject
tracking cookies in http traffic.

~~~
quickben
Ahhh. Okay. Thanks.

------
deftnerd
SecurityHeaders.io has been doing this well for years, and without pretending
to be more than header analysis.

~~~
pbhjpbhj
It actually includes a summary result for
[https://securityheaders.io](https://securityheaders.io) on the page. That
site, your suggestion, says "A scotthelme.co.uk project - CC-BY-SA 4.0" so I
wouldn't be surprised given the similarity in presentation if Observatory was
based in some way on SecurityHeaders.io.

------
vmorgulis
On itself:
[https://observatory.mozilla.org/analyze.html?host=observator...](https://observatory.mozilla.org/analyze.html?host=observatory.mozilla.org)

> Score: 120/100

~~~
joan_lm
On mozilla.org:
[https://observatory.mozilla.org/analyze.html?host=mozilla.or...](https://observatory.mozilla.org/analyze.html?host=mozilla.org)

>Score: 40/100

------
IANAD
Gives Google a D.

[https://observatory.mozilla.org/analyze.html?host=google.com](https://observatory.mozilla.org/analyze.html?host=google.com)

(Would take this rating with a grain of salt.)

------
based2
[https://news.ycombinator.com/item?id=12361568](https://news.ycombinator.com/item?id=12361568)

