The Security Engineer April King from Mozilla has released the Observatory Tool, a free tool for the security assessment of websites.
Mozilla has launched the ‘Observatory,’ a tool developed by the Security Engineer April King that allows administrators and developer to test their websites.
“Observatory is a simple tool that allows site operators to quickly assess not just if they are using these technologies, but also helps them identify how well they’re being used. It uses a simple grading system to provide near instant feedback on site improvements as they are made. To assist developers and administrators, Observatory also provides links to quality documentation that demonstrates how these technologies work.” King wrote in a blog post.
“You may not have heard of many of them, and that’s because their documentation is spread across thousands of articles, hundreds of websites, and dozens of specifications,”
Mozilla has also published the source code of the Observatory tool on GitHub.
The tool performs the following tests on websites:
- Content Security Policy
- Cross-origin Resource Sharing
- HTTP Public Key Pinning
- HTTP Strict Transport Security
- Subresource Integrity
Once assessed a website the Observatory tool calculates a score based on the level of implementation of the tested standards, it also provides recommendations to improve the overall security of the websites.
Mozilla has tested the Observatory assessing more than 1.3 million websites, and 91% of them failed the tests as reported in the following table.
“When nine out of 10 websites receive a failing grade, it’s clear that this is a problem for everyone.” said King.
“Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory’s tests, don’t panic — just take a look at its recommendations and consider implementing them to make your site more secure,” King added.
Only 30 percent of websites use the HTTPS protocol and less than 7 percent rely on the other security measures tested by the tool.
King closes his blog post explaining that the results obtained from the Observatory tool might not be accurate for all websites because each site could have specific security needs.
Source | securityaffairs