Web site security checklists

There are a tremendous number of things you can do today to make your site more secure, while preserving compatibility with all but the oldest web clients (I’m looking at you, Java 6 and Internet Explorer 6). If you haven’t been keeping up with the state of the art, this includes things like (cue Benny Hill music):

  1. selecting your SSL/TLS ciphers
  2. disabling SSLv2 and v3 and TLS tickets and compression
  3. setting a strict transport security (HSTS) header, which helps prevent clients from loading an insecure version of your site once they’ve visited a secure version of your site
  4. setting a public key pins (HPKP) header, which helps prevent someone from spoofing your TLS certificates
  5. setting a content security policy (CSP) header, which helps prevent clients from loading untrusted content from external sites
  6. adding sub-resource integrity attributes to <link and <script tags, which prevents clients from loading untrusted content from your own static file hosting or CDN
  7. correctly setting cache control headers
  8. and much, much more

It can be a lot to keep up with, and this doesn’t even get into the things you can do for performance (like session caching, OCSP stapling, and NPN/ALPN for false start). Fortunately, there are several tools out there that make checking your site a lot easier, and they often include helpful links and reference information to help you resolve any findings. I’ve known about Qualys SSL Labs’ test for some time now, but a recent thread on Hacker News clued me into the existence of several more. (I even made one suggestion to the creator of HTTP Security Report that led to a false positive test result being resolved!)

Here’s a partial list with some notes. All services are free unless otherwise noted.

    • Qualys SSL Labs
      The gold standard of SSL/TLS testing: start here. Tests IPv4 and IPv6 sites. Includes a helpful breakdown of what’s enabled, where you might be vulnerable, client compatibility, etc., and information on how to resolve any findings. Here are the results for fanriff.com.
    • SSL-Tools
      Similar to Qualys, but lets you sign up for an account and will regularly monitor your site for (adverse) changes.
    • testssl.sh
      A free command-line tool.
    • CryptCheck
      This site is in French, but it will do a detailed analysis of your SSL/TLS ciphers.
  • General
    • HTTP Security Report
      This excellent tool runs through a huge checklist and grades your site on the results. Great for checking headers and web server configuration options, and includes a great best practices reference to help resolve any findings. Here are the results for fanriff.com.
    • Microsoft Edge Site Scan
      Similar to HTTP Security Report, checks your site for common security and compatibility issues.
    • securityheaders.io
      Similar to HTTP Security Report, checks your site’s headers.
    • sritest.io
      Similar to HTTP Security Report, checks your site for sub-resource integrity attributes on <link and <script tags.

Finally, I want to give a quick shout-out to another extremely helpful tool, report-uri.io. You can configure CSP and HPKP to tell clients to send failing test results to a reporting URL. This free service aggregates those test results for you and presents a neat dashboard for reviewing them.

One thought on “Web site security checklists

  1. Pingback: How fanriff.com works, Part I | perlkour

Leave a Reply

Your email address will not be published. Required fields are marked *