There are so many accessibility issues on Hacker News! Ways to avoid the same mistakes? Easy... 1 - Make sure everyone involved from designers to developers to content creators to testers to... Whatever your village has in it... Has knowledge of WCAG. (New standards out a few weeks ago!) WCAG is the de facto law of the land now, and businesses are liable from damages if they don't make efforts to ensure all users... - Source: Hacker News / 6 months ago
Few minor accessibility issues. https://wave.webaim.org/report#/https://propbox.co/ Bunch of front-end security issues. Some of these are trivial, but also... Why not just knock them out? https://securityheaders.com/?q=https%3A%2F%2Fpropbox.co%2F&followRedirects=on The Privacy page is a nightmare, as others have pointed out. Why do this? Won't work with screen readers, won't let users copy text... it's bad.... - Source: Hacker News / 10 months ago
FWIW HN sets the Referrer-Policy header [1] to origin [2] but I have no idea how many browsers honor that. [1] - https://scotthelme.co.uk/a-new-security-header-referrer-policy/ [2] - https://securityheaders.com/?q=https%3A%2F%2Fnews.ycombinator.com%2F&hide=on&followRedirects=on. - Source: Hacker News / 11 months ago
I was recently tasked with improving the security rating on one of our websites. This involved a couple of things but the thing I want to focus on in this post is security headers. We scanned the site here and were initially given a rating of 'E'. Not good. So one of the recommendations was to add security headers which are headers contained in the HTTP response and can provide various different security benefits,... - Source: dev.to / 11 months ago
Google has to know about the site before it can index it. Set up the sitemap, then link the sitemap in from Google's Search Console Tools, and install Google Analytics. This will help Google pick up that your site exists. Make sure your robots.txt file is configured to allow crawlers. Make sure your pages aren't inadvertently NOINDEX'd. SEO isn't as relevant as it used to be, but all this stuff should be part of... - Source: Hacker News / 11 months ago
Https://securityheaders.com/ reports A+ or A scores for every one of my subdomains. Source: 12 months ago
OK, I faced a similar issue due to the code of the app not respecting the content policies. I wanted to have an A ranking on https://securityheaders.com/ but gave up and my app was accessible again. Keep us posted. Source: about 1 year ago
As indigodaddy mentioned the cert is only signed for www and not the apex. [1] tests still running for ipv6. Some headers may be missing [2]. [1] - https://www.ssllabs.com/ssltest/analyze.html?d=www.teamkennedy.com&latest [2] - https://securityheaders.com/?q=https%3A%2F%2Fwww.teamkennedy.com%2F&followRedirects=on. - Source: Hacker News / about 1 year ago
Score your website headers: https://securityheaders.com. - Source: dev.to / about 1 year ago
It's a good project: I'll try it out (we are doing something similar, but it's pretty hard to have a general saas service ... Too often project are too different so you need a lot of customization I think). Bwt * this https://securityheaders.com/?q=https%3A%2F%2Fplanlike.pro&followRedirects=on can be easy to fix (I'll give you the settings for haproxy or apache if you need) *... - Source: Hacker News / about 1 year ago
You also mentioned keeping your site safe. Make sure http redirects to https. Make sure SSL is working, and then look into HTTP Security Headers https://securityheaders.com/ . You will want to look into Strict-transport-security, x-frame options, x-content-type-options, content-security-policy, referrer policy, and permissions-policy to start. A great option to get started on your site's security in my opinion is... Source: about 1 year ago
Everything the others have said + also use https://securityheaders.com/ & shodan.io if you haven't already to see if there is anything obvious. Source: about 1 year ago
I'm guessing you have a reverse proxy like nginx, caddy, traefik, swag etc serving that? Try checking the config with things like securityheaders and SSL Labs, or even use hardenize to get a report on your domain including email etc. Source: over 1 year ago
If you click the links provided by securityheaders.com and read it should answer you question: https://scotthelme.co.uk/content-security-policy-an-introduction/. Source: over 1 year ago
I entered my site URL into securityheaders.com and it tells me the following:. Source: over 1 year ago
I skipped using Cloudflare's HSTS as it only provides minimal protection. I instead used custom security headers via .htaccess & functions.php files. I disabled right clicking, F12 & print preview. I changed the admin login URL. Source: over 1 year ago
Useful tool for testing site headers here: https://securityheaders.com/. Source: over 1 year ago
We checked the page works at the end of a previous section. You might also want to check the HTTP security headers. Both SecurityHeaders.com and Mozilla Observatory are good for this. You might not be able to get an A+ on both because SvelteKit does not add style CSP hashes (at the time of writing). Instead we used the style-src: unsafe-inline directive. CSS hashes are important, though; maliciously injected... - Source: dev.to / over 1 year ago
I have just done a scan of the headers again using securityheaders.com and I get two very different results if I follow the redirect to the HTTPS, vs. Not following the redirect (going to the HTTP. See what I mean here: https://imgur.com/a/SkYGkNZ. Source: over 1 year ago
I have never experienced this with any of my WP-based sites but if I did, I would take it off line, deleted the existing database, create a new one and put up a simple landing page/site, and then rebuild the site from scratch, assuming the site was infected because of older WordPress or plug-in security issues. Along with all the typical security hardening steps, you should also whitelist your (and his?) IP... Source: over 1 year ago
This is all good, but when I deployed to Netlify and ran a test using the securityheaders.com site. I was getting nothing back for CSP. For that reason I tried an alternative approach. An alternative to including CSP in meta tags is to use HTTP headers. Both are valid, though the HTTP header is a stronger approach in most cases. Additionally, using HTTP headers you can add reporting, using a service like... - Source: dev.to / over 1 year ago
Do you know an article comparing Security Headers to other products?
Suggest a link to a post with product alternatives.
This is an informative page about Security Headers. You can review and discuss the product here. The primary details have not been verified within the last quarter, and they might be outdated. If you think we are missing something, please use the means on this page to comment or suggest changes. All reviews and comments are highly encouranged and appreciated as they help everyone in the community to make an informed choice. Please always be kind and objective when evaluating a product and sharing your opinion.