Website security is becoming an increasingly important topic, as more individuals, businesses and governing bodies are becoming concerned with the risk to personal data posed by inadequate web security practices.
Security basics - HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.
Whereas in the past, HTTPS might have only been used to protect highly confidential online transactions like online banking and online shopping order forms, it is fast becoming the standard for all website URLs.
This agenda has been pushed in particular by Google's Chrome browser, encouraging website owners to move to HTTPS by showing 'Not secure' messages to browser users on HTTP pages. As such, the issue becomes about user trust and user experience, in addition to security.
While the basic recommendation of 'move your entire site to HTTPS' holds true for any website that has not yet done this, there are some additional vulnerabilities that Sitebulb will detect, for sites that have already adopted HTTPS.
HTML Hints (6 Hints)
There are 6 Hints that relate to HTML and insecure content:
- Mixed content (loads HTTP resources on HTTPS URL)
- HTTPS URL links to an HTTP URL
- HTTPS URL contains a form posting to HTTP
- HTTP URL contains a password input field
- Has external opener links vunerable to tabnapping
- Loads page resources using protocol relative URIs
Resource Hints (2 Hints)
There are 2 Hints that relate to resources:
- Has style sheets served via a CDN without subresource integrity
HTTP security headers
When a browser client (or indeed, a website crawler) 'opens' a particular website URL, it starts this process by sending an HTTP request to the website server. The server sends back HTTP response headers, in addition to the page content itself.
During the last few years, a number of new HTTP headers have been introduced whose purpose is to help enhance the security of a website. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.
Security headers Hints (9 Hints)
There are 9 Hints that relate to the implementation of HTTP security headers:
- Content-Security-Policy HTTP header is missing or invalid
- Referrer-Policy HTTP header is missing
- Strict-Transport-Security HTTP (HSTS) header is missing
- X-Content-Type-Options HTTP header is missing
- X-Frame-Options HTTP header is missing or invalid
- X-XSS-Protection HTTP header is missing or invalid
- Has deprecated Public-Key-Pins HTTP header
- Has deprecated Public-Key-Pins-Report-Only HTTP header
- Leaks server information useful for compromising servers