fmaury/seirdy.one
1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-09-20 04:12:09 +00:00
Code Issues Projects Releases Wiki Activity

New note: Website security scanners

Browse source
This commit is contained in:
Rohan Kumar 2022-11-02 11:56:02 -07:00
parent 597dae3a77
commit 9020d1a2b8
No known key found for this signature in database
GPG key ID: 1E892DB2A5F84479
1 changed files with 13 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
content/notes/website-security-scanners.md Normal file
View file

@ -0,0 +1,13 @@
---
title: "Website security scanners"
date: 2022-11-02T11:56:02-07:00
replyURI: "https://plem.sapphic.site/notice/APB6VSqinvWjm1yHgW"
replyTitle: "why does hardenize still check for Expect-CT when the header is deprecated"
replyType: "SocialMediaPosting"
replyAuthor: "r3g_5z"
replyAuthorURI: "https://blog.terezi.dev/"
---
Speaking generally: I think most website security scanners (Webbkoll, Observatory, et al) lend themselves to cargo-cults. You don't need [most Content Security Policy directives](https://w3c.github.io/webappsec-csp/#csp-directives) for a PNG file, for instance. Warning against a missing `X-Frame-Options` feels wrong: even the latest version of iOS 9---the oldest iOS release to support secure TLS 1.2 <abbr>ECDSA</abbr> ciphers---seems to support `frame-ancestors` (correct me if I'm wrong).
[Internet.nl](https://internet.nl/) is a bit better: it doesn't penalize you for not using security headers. Instead, it just educates you about why you should consider them. Internet.nl only penalizes you for lacking features that universally apply, like proper TLS. I also like the approach of [ssh-audit](https://github.com/jtesta/ssh-audit): it lets you set a policy that works for your endpoint, and validate against that policy.