Website security grade

After last week's blunder things could only get better. And they do this week. So far the website security checks that Shadowtrackr did were not mature enough. I always wanted some sort of easy to grasp grade like SSLLabs has for certificates. After looking around for a while I settled on the Mozilla Observatory grading system.

It has a similar grading scheme too SSLLabs and does proper security checks. Some other ratings systems, like internet.nl, are less focused on security. Don't get me wrong, I fully support the internet.nl checks, but I just don't think that if your hosting provider's nameserver is not reachable over ipv6 this should cost you security points. I'd rather have a good CSP to protect against XSS attacks.

The scoring on the CSP part is, for now, quite brutal to be honest. A CSP that allows unsafe-inline will cost you about 20 points, which caps your grade at a B+. This means ShadowTrackr will show it as a warning (orange). Al lot of orange and red will show up. Interpret these as your opportunities to really improve website security :-)

The grades are added to the website report. If you click the website link frmo the report, you can see on the website page what tests were done and how your grade is calculated.