They removed features and made the URL worse.
Edit: Figured I should point out that the old one had TLS and SSH stuff also, and the URL was https://observatory.mozilla.org.
Seems like this tool is a bit under the radar, but it was extremely useful in identifying obvious security gaps.
I was about to look for tools like this one. Please share if you know of others. Thank you.
I got an F for a static site and upgraded it to A+ considering 120 but ultimately settling for a comfortable 110/100 as good as it gets score. Thank you for this. I had no idea
so my website pretty much is "hi" in index.html (two characters) and I got a "D". so to help me understand how to hack this installation, how can I use the websites evaluation to hack into it so I can understand the exploitation of the security holes I have obviously left open? Is there any guidance here?
This tool was posted on HN within the last few days.
Seeing Microsoft and security in the same sentence makes me suspicious. /s
This gives my website a C (50 / 100) because:
Content Security Policy (CSP) −25
X-Content-Type-Options −5
X-Frame-Options −20
Yet it's just a simple static website without scripts, cookies or any other dynamic content. If you need to specficy whatever random heades WHATWG comes up with each year for a static site to be secure then the problem is the browser not the website.
X-Content-Type-Options is in particular is 100% about browsers ignoring the spec and then making you set another header asking them to please reconsider.
Referer is another thing that should be 100% fixed on the browser side instead of each website asking the browser to please not leak information to other websites.
Then when you look at the scoring criteria [0] you see it even avards bonus points for setting cookies and using scripts as long as you do it in the currently fashionable way comapared to not using cookies/scripts at all. This is absolutely the wrong way around.
[0] https://developer.mozilla.org/en-US/observatory/docs/tests_a...