Mozilla has launched a free website security testing tool which will allow developers and admins to find out if they are indeed using their tools to their full potential.
A free website security testing tool has been made available by Mozilla which allows website developers as well as administrators to find out if they are using all the tools available in the best manner.
The tool, called Observatory, was developed for the domain testing of Mozilla by information security engineer April King. The tool has now been made available for free, along with its source code. It performs around 12 tests, some of which are Contribute.json, cookies, Content Security Policy, HTTP Public Key Pinning, cross-origin resource sharing, HTTP Strict Transport Policy, subresource integrity, redirections, X-Frame options, X-Content-Type-Options, and X-XSS-Protection headers.
April King has said that most of these tools are unheard of by most developers and admins. This is because their documentation is spread over countless articles in many websites and specifications.
When users use Observatory, a score is provided to them after the scan for each of the tests it runs. The score is an indication of how well the corresponding standards have been implemented in the tested website, and recommendations for improvement are provided as well. An overall score for the website is provided as well, grading the verified website. Mozilla has tested more than 1.3 million websites using Observatory.
The results have shown that only 30% of the websites today are using HTTPS, and not even 7% take the advantage of other security measures tested by Observatory. Their testing has revealed that more than 90% of the websites today do not take security as seriously as they should.
While Observatory does provide a good analysis of the security measures taken by the website, it should not be taken as the last word. April King has said that it is quite a developer-centric tool as of now, which means that the grading parameters are set very aggressively to promote better security standards. Therefore, one should not panic on receiving a poor rating by Observatory.
They should only take note of the recommendations provided by it and work to make their security better. The results might not even be as accurate as developers believe them to be, as the needs of different types of websites differ with their complexity.
Mozilla has been proactive in promoting secure measures to be implemented by all. They have been pushing for widespread usage of HTTPS for a while now, and have even made it so that their developer version now gives a warning when a website requests a user’s password over HTTP.