To help web developers protect their websites better, Mozilla has launched an online scanner to test and scan websites and see if they are optimised to the best of their settings. The web-based scanner is called Observatory; the web application was created for April King, who is a security engineer at Mozilla, who later took the decision of expanding it and gifting it to the world.
This tool was inspired from Qualys SSL Labs, a well-known online scanner forscoring the website’s Transport Layer Security or Secure Sockets Layer settings; and reports about the websites’ weakness. However, the Mozilla’s scanner uses a rating system using points 0 to 100, which results in grades A+ to F.
Unlike many online SSL server tests, which only limits the scan to websites TLS setup, the Observatory goes beyond the traditional checking protocol and gets into those tiny details that the majority of web developers overlook, including:
Content Security Policy Cookies;
Cross Origin Resource Sharing or CORS;
HTTP Public Key Pinning;
HTTP Strict Transport Security or HSTS;
Sub Resource Integrity;
X-Content Type Options;
X-Frame Options or XFO;
However, the web-based tool doesn’t only look for the elements listed up, but also scans if they are setup properly. The only thing that Observatory doesn’t do is scan for the vulnerability in the code itself. Why? Because such tools already exist, both free and paid versions of them.
According to King, there are several books and articles written about how to secure a website, but reading everything about such security information which is spread across the Internet, is hard to collect and read. However, with this web-based tool, a developer can learn everything about the technology that needs to be implemented by the developer, in order for them to secure their website.
When we scanned Mozilla, we were astounded by the results, as many of their own websites have received grades below E. However, even though many of those websites have now been fixed, www.mozilla.org still rises to the top.
Furthermore, once Observatory scans the URL, the report is divided into three main sections, first being the Scan Summary. The Scan Summary provides very basic information such as the grade itself, along with the duration of the scan time and the number of tests it passed.
The Test Scores follow, which includes the list of tests conducted on the website. Protocols are displayed, such as CPS, CORS, HPKP, in the green and red marker for identifying the passed and failed tests. Furthermore, if you click on the element(s), it then takes you to a wiki explaining what it is, and how to solve the problem.
After the Test Scores comes the Raw Server Headers. These consist of CF-Cache Status; Content Security Policy details about X-Backend Servers; near to expire or expired certificates.
According to King, the results that come from the scanning are not always accurate, but yet the results of Observatory are a good way to make a developer go through their websites, making them more aware of their designs and web pages.
Observatory is an open source code, the old school command line tools and API’s are available for admins and web developers who want to scan their websites on a larger scale, or who would want to scan their websites periodically.
Source: Security Affairs