Current time: 03-06-2021, 06:09 AM Hello There, Guest! (LoginRegister)

Post Reply 
 
Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
security score
01-16-2021, 05:38 PM
Post: #1
security score
how to make the security score get an A on the webpagetest
my website https://www.tedorentcar.com/
Find all posts by this user
Quote this message in a reply
02-02-2021, 03:11 AM
Post: #2
RE: security score
If you click on the security score, you can see more info, or just read more here.

It's about setting some headers that improve the security of your site by controlling how and from where resources are loaded. You probably need to use a htaccess file.

The exact settings depend on your setup and configuration. For example, if you want to set a Content Security Policy and you use third-party resources, you need to add those domains to your CSP. You should read more about each header before you attempt to implement them.

HTTP Strict Transport Security (HSTS)
HSTS: This is a header to only allow https connections. This ensures that no resources are loaded via the unencrypted HTTP protocol.

Content Security Policy (CSP)
CSP specifies which domains resources can be loaded from, to ensure there are no surprises. It needs to be updated any time you add a new external resource.

X-Content-Type-Options
Blocks requests of files that don't match the file type, for example requesting .CSS as anything other than a style sheet. This prevents spoofed executables/code from being executed.

X-XSS-Protection
Attempts to block ongoing cross-site scripting attacks. Only needed if no CSP is set.

X-Frame-Options
Blocks external websites from embedding your website in an iframe. This prevents clickjacking and spoofing.

I also recommend this security test: https://webbkoll.dataskydd.net/en/
Find all posts by this user
Quote this message in a reply
02-07-2021, 09:23 PM
Post: #3
RE: security score
Hi, Have you edited .htaccess before? You can easily achieve a better grade by adding lines like below. This will give you an A+ BUT make sure the settings for each line are what you want for your domain.

Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security "max-age=31536000" env=HTTPS
Header set Referrer-Policy "no-referrer-when-downgrade"
Header set Permissions-Policy geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=(), microphone=()
Header set Content-Security-Policy frame-ancestors 'self'
Header set X-Permitted-Cross-Domain-Policies "none"
Header set Expect-CT enforce, max-age=31536000

Hope this helps.
Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)