Mozilla has released a new website, Observatory, to help developers, system administrators, and security professionals configure their websites safely and securely.
April King, an information security engineer who developed the tool, explains that the development of the Observatory is a result of a new job she received at Mozilla to improve security on many of their websites. King first started by writing a scanning tool. After examining some of Mozilla’s sites, she found she would have a lot of future work to do to support Mozilla’s mission to improve the Internet as a whole. She was encouraged to develop the scanning tool and make it available for the world to use.
Through development, Mozilla has documented their Web Security Guidelines and an Observatory scan will provide test scores on the following in relation to the guidelines:
- Content Security Policy (CSP)
- Cross-origin Resource Sharing
- HTTP Public Key Pinning (HPKP)
- HTTP Strict Transport Security (HSTS)
- Subresource Integrity
The test scores are similar to the SSL Server Test showing an overall A-to-F grade and scores out of 100. There are even bonus scores which will enable the site to get 130 out of 100 or as low as 0. It is best to consider the test as a game, you don’t have to be perfect, but it is best to increase your score. Please note the Observatory and SSL Server Test are complementary as they really do not test the same requirements.
Reviewing the guidelines cheat sheet, we see some items are mandatory, mandatory for new sites, mandatory for maximum risk sites or may be optional. You can also see descriptions, reasoning and implementation examples for every test. The guidelines are a great resource for implementing website best practices. Mozilla also provides an API and command-line tools for administrators who have many sites to test.
Studies by WhiteHat Security and EdgeScan show cross-site scripting (XSS) impacts approximately 50-percent of the websites. As such, we see that the Mozilla guidelines try to support mitigation of XSS with CSP, cookie limitation, X-Content-Type-Options and X-XSS-Protection. There are also scores for HPKP and HSTS to support the mandatory guideline of deploying HTTPS.
At the time of this writing, Mozilla had tested over 1.3 million websites with 91-percent failing. Hopefully, the Observatory and the guidelines will help developers and administrators upgrade their sites to protect their corporations and users. Consider starting by deploying HTTPS, which will secure your users, provide privacy, decrease latency by supporting HTTP/2 and even increase your site’s search engine optimization.