It follows the hugely appreciated SSL Server Test from Qualys’ SSL Labs, which rates a website’s SSL/TLS configuration and highlights its weaknesses.
Albeit, Mozilla’s Observatory scans for a wider range of security mechanisms, unlike the SSL Server Test, which only checks TLS implementation.
The Observatory code is open source, with its API and command-line tools available for administrators who want to perform large number of websites scan internally and/or periodically.
The scan can include: Content Security Policy (CSP), HTTP Public Key Pinning, HTTP Strict Transport Security (HSTS), redirections, subresource integrity, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Cross-Origin Resource Sharing (CORS), among others.
The test results usually come with links back to Mozilla’s web security guidelines, with implementation examples to enable website administrators to more easily understand the issues detected during the scan.
While the results may not be uncannily accurate for some site—wide test, after all, as the security needs of those sites are pretty more complicated, the adoption of these standards will make developers, system administrators, and security professionals more familiar with them.
Sign up here with your email