Website redirect grading change

Last weeks saw lots of small improvements and bug fixes. Some are noticeable, like search results paging in the GUI. Others concern edge cases or events that do not apply to everyone, like better detection for Drupal, F5 BigIP and Fortinet.

The most noticeable is probably the grade change on redirected websites. When you fully redirect a website with a 301 or 302, there is no content served. Technically, you can set security headers to prevent things like an XSRF attack. But as there is no content served, you can’t perform an actual XSRF attack. You might be able to do so on the redirect destination, but that is a different website with its own content and its own grade.

One client had a lot of these redirects and they all showed up with a big red F in the reports. While it would be fixable by setting the security headers anyway, this is not what the color red is supposed to mean in ShadowTrackr. Red is a problem, and means that you need to fix it as soon as possible. Red is dangerous, unlike orange which is a warning and means that you should fix it when you have the time.

So, security headers related to content on fully redirected websites are no longer counted in your website grades.