1
0
Fork 0
mirror of https://git.sr.ht/~seirdy/seirdy.one synced 2024-12-28 03:02:09 +00:00
seirdy.one/content/notes/website-security-scanners.md
2024-05-24 10:24:27 -04:00

1.3 KiB

title date replyURI replyTitle replyType replyAuthor replyAuthorURI lastMod
Website security scanners 2022-11-02T11:56:02-07:00 https://pleroma.envs.net/notice/APB6Va7FFvgXN801L6 why does hardenize still check for Expect-CT when the header is deprecated SocialMediaPosting r3g_5z https://girlboss.ceo/ 2022-11-26T19:20:46Z

Speaking generally: I think most website security scanners (Webbkoll, Observatory, et al) lend themselves to cargo-cults. You don't need most Content Security Policy directives for a PNG file, for instance. Warning against a missing X-Frame-Options feels wrong: even the latest version of iOS 9---the oldest iOS release to support secure TLS 1.2 ECDSA ciphers---seems to support frame-ancestors (correct me if I'm wrong).

Internet.nl is a bit better: it doesn't penalize you for not using security headers. Instead, it just educates you about why you should consider them. Internet.nl only penalizes you for lacking features that universally apply, like proper TLS. I also like the approach of ssh-audit: it lets you set a policy that works for your endpoint, and validate against that policy.