
Securityheaders.io – Analyse your HTTP response headers - robin_reala
https://securityheaders.io/
======
efesak2
Thanks. I didn't know about X-Content-Type-Options! It is getting harder and
harder to know all these headers nowadays. I am big fan of these checking
tools with scores, it makes web developing entertaining. (A+!
[https://securityheaders.io/?q=https%3A%2F%2Fsatoshicrypt.com...](https://securityheaders.io/?q=https%3A%2F%2Fsatoshicrypt.com%2F)
)

~~~
cmrx64
I agree, I love these sorts of things because they make it easy to learn what
you don't know. On the other hand, assigning an order based on an analysis
like this can be interpreted wrongly, which I find annoying.

~~~
Scott_Helme_
I agree, hopefully the majority will see benefit in it. It's intended as more
of a way to educate rather than a definitive security assessment.

------
vbezhenar
What I fear about HPKP is how easy it is to kill domain. You have to lose your
keys once and it's lost domain for your users, because it's really hard for
users to circumvent that protection. It's better to have a really good
understanding of what's going on and have good key backups before you
configure it.

~~~
Scott_Helme_
You can also pin the public keys of certificate authorities to limit which
ones can issue for your domain and not have to worry about key backups. GitHub
do this as you can see here: [https://report-
uri.io/home/pkp_analyse/https%3A%2F%2Fgithub....](https://report-
uri.io/home/pkp_analyse/https%3A%2F%2Fgithub.com)

I also have a blog on the various places you can pin like the leaf,
intermediate and root: [https://scotthel.me/k2h](https://scotthel.me/k2h)

------
tshadwell
I don't think `X-XSS-Protection` is a worthwhile header to have. Every browser
with XSS protection has it on by default. OWASP says this only exists to turn
it on when a user may have turned it off (I have no idea why they would).

`Content-Security-Policy` is an awesome header, but in truth, it's very easy
to misconfigure and even when correctly configured is usually fairly easy to
bypass on any non-trivially complex website (for example, JSONP is an
effective bypass for CSP). It's still worth looking into.

~~~
cyphar
JSONP only allows CSP bypass if you return anything other than JSON objects
from an API. As long as you don't do that, CSP is fine.

~~~
tshadwell
Since JSONP allows you to have a callback, you can load this in script tags on
the same domain and make calls to that / those functions.

------
annnnd
First of all, thanks for sharing, I didn't know about many of these headers!

From recent scans I see that www.google.com got an E with missing headers:

    
    
        Strict-Transport-Security
        Content-Security-Policy
        Public-Key-Pins
        X-Content-Type-Options
    

Is this negligence on Google's part or ...?

~~~
sarciszewski
[https://securityheaders.io/?q=https%3A%2F%2Faccounts.google....](https://securityheaders.io/?q=https%3A%2F%2Faccounts.google.com%2FServiceLogin%3Fservice%3Dmail%26passive%3Dtrue%26rm%3Dfalse%26continue%3Dhttps%3A%2F%2Fmail.google.com%2Fmail%2F%26ss%3D1%26scc%3D1%26ltmpl%3Ddefault%26ltmplcache%3D2%26emr%3D1%26osid%3D1)

Looks like they just need a Content-Security-Policy and Public-Key-Pins.

------
huhtenberg
Looking at Github's A+, can someone explain what's the point of pinning public
keys for _300 seconds_ max?

[https://securityheaders.io/?q=https%3A%2F%2Fgithub.com%2F](https://securityheaders.io/?q=https%3A%2F%2Fgithub.com%2F)

~~~
Scott_Helme_
A lot of advice online, including my own, recommends that once you start
enforcing a policy you keep the max-age quite short for a period of time. The
report-only mode is helpful in identifying issues but given the nature of what
HPKP is and does, jumping straight to a high max-age value when you start
enforcing the policy isn't wise.

~~~
huhtenberg
They don't use reporting.

~~~
ptoomey3
When we first deployed our policy there was no support for reporting in
browsers. I think that Firefox still lacks support and chrome only added
support recently (I'd have to double check, or I'm sure Scott knows).

~~~
Scott_Helme_
Exactly right. The only browser that will send HPKP reports right now is
Chrome and that was very recent.

------
pmoriarty
Are there any good standalone, linux commandline tools of this kind (for ssl
and mail config too)?

------
russum
What other/similar analyzers are out there?

~~~
stefanorri
HTTPSecurityReport -
[https://httpsecurityreport.com](https://httpsecurityreport.com) \-
Disclaimer: I'm the creator.

Site Scan from MS - [https://dev.windows.com/en-us/microsoft-
edge/tools/staticsca...](https://dev.windows.com/en-us/microsoft-
edge/tools/staticscan/)

Subresource Integrity scanner - [https://sritest.io/](https://sritest.io/)

~~~
Beowolve
Thanks for these! I like that yours covered a lot more than the one OP posted.

~~~
stefanorri
Thanks, glad to hear it!

------
sarciszewski
Kind of ironic (Firefox):
[http://i.imgur.com/p6RDBb4.png](http://i.imgur.com/p6RDBb4.png)

This is also keeping the CSS from loading. (Chrome, however, displays
beautifully.)

~~~
tombrossman
Strange, I get the same thing too despite the domain being among those
whitelisted. I don't know how 'self' cannot equal securityheaders.io for a
request to that domain.

I remember a while back when I was first using this I had a really difficult
time getting it to work for a site I was doing. In the end, I had to remove
all references to 'self' as a source and use the domain instead (even though
these should be one and the same).

~~~
sarciszewski
It's probably a Firefox bug.

------
cmrx64
HPKP will accept if _any_ of the fingerprints match -- I was wondering how I
could transition certificates when using it, and hadn't noticed that fact. So
to transition to a new certificate, specify the fingerprint of the old AND new
certificates, for at least as long as the max-age. You can also specify the
fingerprint of any certificate in the trust chain. I plan on pinning the let's
encrypt certificate, instead of the specific certificates let's encrypt
issues, and trusting let's encrypt to implement the domain validation
correctly.

~~~
Scott_Helme_
HPKP is HTTP Public Key Pinning, you aren't pinning certificates, you're
pinning the public key. This means that you don't necessarily need to change
any pins when you renew certificates as the certificate can use the same key
pair. The only time you need to consume a backup pin when renewing the
certificate is if you have a new public key signed. I think it's important to
understand the difference before you try to deploy HPKP.

As for pinning the CA instead of your own public key, you can see my other
comments in this thread with links about how GitHub pin their CA and a backup
CA. I also have a link with information on the various levels in a chain you
can pin at like the leaf, intermediate and root. Each has its own benefits and
drawbacks.

~~~
cmrx64
I see, I hadn't made that obvious connection -- it's right in the name! (been
awake for ~28 hours) That's much nicer. This is the first I've seen that
header, it's good to know it exists -- I've implemented it in other ad-hoc
protocols.

------
riramar
This site is awesome! That's why I've included on my OWASP Project. I'm just
starting this project but it's going to have a lot information about security
headers.

[https://www.owasp.org/index.php/OWASP_Secure_Headers_Project](https://www.owasp.org/index.php/OWASP_Secure_Headers_Project)

------
itslennysfault
Hacker News gets a solid D.

[https://securityheaders.io/?q=https%3A%2F%2Fnews.ycombinator...](https://securityheaders.io/?q=https%3A%2F%2Fnews.ycombinator.com%2F)

------
rasx
It seems it doesn't support server:port - the report I got is for port 80.

