Mozilla recently released a security header grading site, https://observatory.mozilla.org/. Of course I had to plug my site into the scanner and found that I got an F. Not good for a security guy.
According to April King of Mozilla, the Observatory “grading is set very aggressively to promote best practices in web security”. And by looking at the scores, we can see that the far majority of sites fail the Observatory tests.
Obviously I wasn’t going to settle for an F, so here’s some notes on how I got the score up to an A+.
Content Security Policy
Content Security Policy (CSP) is a security header that instructs the browser what dynamic resources you allow your site to load. When done correctly, it’s a whitelist approach that can effectively prevent XSS on your website. CSP is most effective when you do not allow inline scripts, which means you can’t have code between <script> tags on a page (lookin’ at your Google Analytics). Implementing CSP on an existing site takes quite a bit of tweaking, but is worth it to eliminate the risk of XSS on your website.
My recommendation is to start with a really simple CSP policy like default-src 'none'; script-src 'self'; img-src 'self'; style-src 'self';. Once the policy is in place, browse the site with Developer Tools open and review the console for any errors.
For my site, the biggest change was to move Google Analytics from an inline src to a js include file. Moving the code to an include file required some tweaking and here’s my final script:
var _gaq = _gaq || []; _gaq.push([’_setAccount’, ‘UA-52558-13’]); _gaq.push([’_trackPageview’]);(function() { var ga = document.createElement(‘script’); ga.type = ‘text/javascript’; ga.async = true; ga.src = ‘https://ssl.google-analytics.com/ga.js'; var s = document.getElementsByTagName(‘script’)[0]; s.parentNode.insertBefore(ga, s); })();
After much tweaking, here’s the policy I came up with for my site:
"default-src 'self'; script-src 'self' ssl.google-analytics.com www.google-analytics.com; style-src 'self' fonts.googleapis.com maxcdn.bootstrapcdn.com; font-src fonts.gstatic.com maxcdn.bootstrapcdn.com; object-src 'self'; img-src www.google-analytics.com"
Refs:
Cookies
If your site utilizes cookies, you’ll need to make sure you’re setting the secure and httponly flags.
Ref: OWASP HttpOnly & OWASP Secure Flag
Cross-Origin Resource Sharing (CORS)
If your site implements CORS, use a white listing approach and limit the number of domains to the minimum necessary.
HTTP Public Key Pinning (HPKP)
HPKP
Ref: Mozilla Public Key Pinning
Final Rating
So after making the previously mentioned tweaks, my site now gets an A+ rating.
