Website security is becoming an increasingly important topic, as more individuals, businesses and governing bodies are becoming concerned with the risk to personal data posed by inadequate web security practices.
Security basics - HTTPS
Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The 'S' at the end of HTTPS stands for 'Secure'. It means all communications between your browser and the website are encrypted.
Whereas in the past, HTTPS might have only been used to protect highly confidential online transactions like online banking and online shopping order forms, it is fast becoming the standard for all website URLs.
This agenda has been pushed in particular by Google's Chrome browser, encouraging website owners to move to HTTPS by showing 'Not secure' messages to browser users on HTTP pages. As such, the issue becomes about user trust and user experience, in addition to security.
While the basic recommendation of 'move your entire site to HTTPS' holds true for any website that has not yet done this, there are some additional vulnerabilities that Sitebulb will detect, for sites that have already adopted HTTPS.
HTTP security headers
When a browser client (or indeed, a website crawler) 'opens' a particular website URL, it starts this process by sending an HTTP request to the website server. The server sends back HTTP response headers, in addition to the page content itself.
During the last few years, a number of new HTTP headers have been introduced whose purpose is to help enhance the security of a website. Once set, these HTTP response headers can restrict modern browsers from running into easily preventable vulnerabilities.
Most of the Security Hints are Issues, which means they represent errors or problems that need to be fixed. They are additionally classified in terms of their importance - this should be taken into account when prioritizing implementation work, along with the number and type of URLs affected.
These Hints require immediate attention, as the issue may have a serious impact upon crawling, indexing or ranking.
These Hints are very important, and definitely warrant attention.
- HTTPS URL links to an HTTP URL
- HTTPS URL contains a form posting to HTTP
- HTTP URL contains a password input field
- Loads page resources using protocol relative URIs
These Hints are worth investigating further, and may warrant further attention depending on the type and quantity of URLs affected.
- Has external opener links vunerable to tabnapping
- Has style sheets served via a CDN without subresource integrity
These Hints are of the lowest significance, and should only be addressed if there aren't more serious issues which have not been handled.
These Hints are marked 'Insight' because, for most websites, they don't represent an issue worth worrying about. They all relate to the implementation of HTTP security headers, which are all at the more extreme/comprehensive end of things. If you have a very high trafficked website, a site that stores sensitive personal information, or a site that is a frequent target of hackers, then you should absolutely implement this stuff. For all other cases, they should be considered a 'nice to have'.