Website grades have changed

Just like your certificates, your website have a security score too. This has been available in ShadowTrackr for a while, but wasn’t actively used or included in reports or graphs. Since most clients had quite a lot of bad grades, I wasn’t really sure how we should handle this.

No pain, no gain though. Since the goal is to improve your security, at some point these bad grades had to make an entry. That just happened, and quite a few of you will see extra red dots appear on your graphs and under reports.

We’ll start slowly with marking every website graded ‘F’ as a problem. Anything between A and F will be a warning for now (but note that we’ll get stricter at some point in the future). The grades are based on the Mozilla Observatory scores.

So, what do you do now? Work on improving your website security of course! For some quick fixes to get you out of the red, set these HTTP headers in your webserver:

X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000; includeSubDomains

If you want even better scores, read up on Content-Security-Policy and Subresource-Integrity.