Security Headers Reviews and details

Social recommendations and mentions

• Why is text of sumissions in low-contrast grey on HN?

  There are so many accessibility issues on Hacker News! Ways to avoid the same mistakes? Easy... 1 - Make sure everyone involved from designers to developers to content creators to testers to... Whatever your village has in it... Has knowledge of WCAG. (New standards out a few weeks ago!) WCAG is the de facto law of the land now, and businesses are liable from damages if they don't make efforts to ensure all users... - Source: Hacker News / 6 months ago

• Show HN: Year old launches SaaS platform today. Seeks feedback

  Few minor accessibility issues. https://wave.webaim.org/report#/https://propbox.co/ Bunch of front-end security issues. Some of these are trivial, but also... Why not just knock them out? https://securityheaders.com/?q=https%3A%2F%2Fpropbox.co%2F&followRedirects=on The Privacy page is a nightmare, as others have pointed out. Why do this? Won't work with screen readers, won't let users copy text... it's bad.... - Source: Hacker News / 10 months ago

• Hacker News evading criticism by selectively adding noreferrer to certain links

  FWIW HN sets the Referrer-Policy header [1] to origin [2] but I have no idea how many browsers honor that. [1] - https://scotthelme.co.uk/a-new-security-header-referrer-policy/ [2] - https://securityheaders.com/?q=https%3A%2F%2Fnews.ycombinator.com%2F&hide=on&followRedirects=on. - Source: Hacker News / 11 months ago

• Security headers - what they are and how to use them 🔒

  I was recently tasked with improving the security rating on one of our websites. This involved a couple of things but the thing I want to focus on in this post is security headers. We scanned the site here and were initially given a rating of 'E'. Not good. So one of the recommendations was to add security headers which are headers contained in the HTTP response and can provide various different security benefits,... - Source: dev.to / 11 months ago

• Google No Longer Automatically Indexes Websites – WTF?

  Google has to know about the site before it can index it. Set up the sitemap, then link the sitemap in from Google's Search Console Tools, and install Google Analytics. This will help Google pick up that your site exists. Make sure your robots.txt file is configured to allow crawlers. Make sure your pages aren't inadvertently NOINDEX'd. SEO isn't as relevant as it used to be, but all this stuff should be part of... - Source: Hacker News / 11 months ago

• Deceptive Site Ahead

  Https://securityheaders.com/ reports A+ or A scores for every one of my subdomains. Source: 12 months ago

• Is there an ongoing S3 DNS issue?

  OK, I faced a similar issue due to the code of the app not respecting the content policies. I wanted to have an A ranking on https://securityheaders.com/ but gave up and my app was accessible again. Keep us posted. Source: about 1 year ago

• Team Kennedy needs some HTTPS help?

  As indigodaddy mentioned the cert is only signed for www and not the apex. [1] tests still running for ipv6. Some headers may be missing [2]. [1] - https://www.ssllabs.com/ssltest/analyze.html?d=www.teamkennedy.com&latest [2] - https://securityheaders.com/?q=https%3A%2F%2Fwww.teamkennedy.com%2F&followRedirects=on. - Source: Hacker News / about 1 year ago

• HTTP Headers

  Score your website headers: https://securityheaders.com. - Source: dev.to / about 1 year ago

• Planlike.pro – New Estimating Tool

  It's a good project: I'll try it out (we are doing something similar, but it's pretty hard to have a general saas service ... Too often project are too different so you need a lot of customization I think). Bwt * this https://securityheaders.com/?q=https%3A%2F%2Fplanlike.pro&followRedirects=on can be easy to fix (I'll give you the settings for haproxy or apache if you need) *... - Source: Hacker News / about 1 year ago

• Rebuilt my blog with awesome performances. How do I keep SEO safe?

  You also mentioned keeping your site safe. Make sure http redirects to https. Make sure SSL is working, and then look into HTTP Security Headers https://securityheaders.com/ . You will want to look into Strict-transport-security, x-frame options, x-content-type-options, content-security-policy, referrer policy, and permissions-policy to start. A great option to get started on your site's security in my opinion is... Source: about 1 year ago

• Anywhere I can advertise a bounty for my site?

  Everything the others have said + also use https://securityheaders.com/ & shodan.io if you haven't already to see if there is anything obvious. Source: about 1 year ago

• Any tool to check the security of my server?

  I'm guessing you have a reverse proxy like nginx, caddy, traefik, swag etc serving that? Try checking the config with things like securityheaders and SSL Labs, or even use hardenize to get a report on your domain including email etc. Source: over 1 year ago

• Content-Security-Policy - No valid directives found in policy [securityheaders.com]

  If you click the links provided by securityheaders.com and read it should answer you question: https://scotthelme.co.uk/content-security-policy-an-introduction/. Source: over 1 year ago

• Content-Security-Policy - No valid directives found in policy [securityheaders.com]

  I entered my site URL into securityheaders.com and it tells me the following:. Source: over 1 year ago

• WordPress attacks and wordfence

  I skipped using Cloudflare's HSTS as it only provides minimal protection. I instead used custom security headers via .htaccess & functions.php files. I disabled right clicking, F12 & print preview. I changed the admin login URL. Source: over 1 year ago

• My wordpress page sends a lot of "shady" requests to a site called "brounelink.com". Why? How to debugg where this is coming from?

  Useful tool for testing site headers here: https://securityheaders.com/. Source: over 1 year ago

• SvelteKit Node App Deploy: Linux Cloud Hosting

  We checked the page works at the end of a previous section. You might also want to check the HTTP security headers. Both SecurityHeaders.com and Mozilla Observatory are good for this. You might not be able to get an A+ on both because SvelteKit does not add style CSP hashes (at the time of writing). Instead we used the style-src: unsafe-inline directive. CSS hashes are important, though; maliciously injected... - Source: dev.to / over 1 year ago

• Possible weird malware issue or something?

  I have just done a scan of the headers again using securityheaders.com and I get two very different results if I follow the redirect to the HTTPS, vs. Not following the redirect (going to the HTTP. See what I mean here: https://imgur.com/a/SkYGkNZ. Source: over 1 year ago

• Working on an extremely old and outdated WordPress/Godaddy site that was also infected with malware. And I need help/advice.

  I have never experienced this with any of my WP-based sites but if I did, I would take it off line, deleted the existing database, create a new one and put up a simple landing page/site, and then rebuild the site from scratch, assuming the site was infected because of older WordPress or plug-in security issues. Along with all the typical security hardening steps, you should also whitelist your (and his?) IP... Source: over 1 year ago

• SvelteKit Content Security Policy: CSP for XSS Protection

  This is all good, but when I deployed to Netlify and ran a test using the securityheaders.com site. I was getting nothing back for CSP. For that reason I tried an alternative approach. An alternative to including CSP in meta tags is to use HTTP headers. Both are valid, though the HTTP header is a stronger approach in most cases. Additionally, using HTTP headers you can add reporting, using a service like... - Source: dev.to / over 1 year ago