Skip to content

Website security scanners

Speaking generally: I think most website security scanners (Webbkoll, Observatory, et al) lend themselves to cargo-cults. You don’t need most Content Security Policy directives for a PNG file, for instance. Warning against a missing X-Frame-Options feels wrong: even the latest version of iOS 9—the oldest iOS release to support secure TLS 1.2 ECDSA ciphers—seems to support frame-ancestors (correct me if I’m wrong). is a bit better: it doesn’t penalize you for not using security headers. Instead, it just educates you about why you should consider them. only penalizes you for lacking features that universally apply, like proper TLS. I also like the approach of ssh-audit: it lets you set a policy that works for your endpoint, and validate against that policy.