Mozilla’s Observatory for vulnerabilities in configuration options and security mechanisms

Mozilla has launched an online website scanner to check web servers to ensure they have the best security settings in place, dubbed Observatory, the tool initially used in-house by Mozilla security team, but now has been expanded and made available for other web administrators.

It follows the hugely appreciated SSL Server Test from Qualys’ SSL Labs, which rates a website’s SSL/TLS configuration and highlights its weaknesses.

Albeit, Mozilla’s Observatory scans for a wider range of security mechanisms, unlike the SSL Server Test, which only checks TLS implementation.

The Observatory code is open source, with its API and command-line tools available for administrators who want to perform large number of websites scan internally and/or periodically.

The scan can include: Content Security Policy (CSP), HTTP Public Key Pinning, HTTP Strict Transport Security (HSTS), redirections, subresource integrity, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, and Cross-Origin Resource Sharing (CORS), among others.

The test results usually come with links back to Mozilla’s web security guidelines, with implementation examples to enable website administrators to more easily understand the issues detected during the scan.

While the results may not be uncannily accurate for some site—wide test, after all, as the security needs of those sites are pretty more complicated, the adoption of these standards will make developers, system administrators, and security professionals more familiar with them.
Next Post »