Security headers on Wilders

Discussion in 'General Topics' started by BoerenkoolMetWorst, Jan 13, 2016.

  1. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Frankly, I've never even heard of most of those things its testing. And, I just tested a lot of other sites and they all got an E. DSLR, XenForo's own home site, Eset's forum (well, that was an F). So, I don't know what this is doing, but, I'm not going to worry about it at this point if everyone is "failing".
     
  3. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Okay, now I know this is off. https://centminmod.com/ also got an E. That is eva2000's site. He's one of the foremost webserver guys out there. He pretty much wrote the book on webserver tech.
     
  4. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Hmm. Facebook and Twitter for example both score an A.
     
  5. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    Well, I'd expect mega corps to have servers and networks on the leading edge. Those of us with small, single boxes that we configure on our own, have a lot less technology at our finger tips. I've checked a lot of other sites our size and they all are E or F.
     
  6. Krusty

    Krusty Registered Member

    Joined:
    Feb 3, 2012
    Posts:
    2,872
    Location:
    Australia
  7. chrcol

    chrcol Registered Member

    Joined:
    Apr 19, 2006
    Posts:
    755
    Location:
    UK
    My domains get A+, security is always a moving target so its easy to get caught out by tests like these if you stop updating config files for modern practices even for 1 year.
     
  8. Umbra

    Umbra Registered Member

    Joined:
    Feb 10, 2011
    Posts:
    2,157
    Location:
    in a remote land :)
    Malwaretips.com got D, we use Xenforo as well.
     
  9. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    I wouldn't worry too much. Most of these are optional extras as listed on ssllabs, where wilders scores an A (when ignoring trust).
     
  10. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    I was under the impression it is just a software configuration. And sometimes especially the bigger corps are hesitant to roll that out because lots more users will be impacted if something goes awry.

    Only 2 of them are listed on SSLLabs because they SSL/TLS related. The others aren't, see for example when you test Wilders on HTTP:
    https://securityheaders.io/?q=https://www.wilderssecurity.com/
    EDIT: Somehow the link in my post automatically changes the test url to HTTPS :S
     
  11. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    @BoerenkoolMetWorst @funkydude @LowWaterMark
    I'm glad I found this thread because I've been really confused about my connection here!

    I just scanned this site at securityheaders.com as well. The HTTP version received an A+ and HTTPS got a B.

    So what's the solution? Simply go to HTTPS of the site and create and exception or just surf the HTTP version??
     
  12. funkydude

    funkydude Registered Member

    Joined:
    Apr 5, 2004
    Posts:
    6,852
    Uhm, whichever you want? It doesn't matter what a website scores, it's still more secure using HTTPS than it is HTTP. A website scoring a low HTTPS score doesn't mean "you should avoid this and use HTTP instead". It means that the website has room for improvement. HTTPS will always be better than HTTP no matter what artificial grade or number someone applies to it.
     
  13. BoerenkoolMetWorst

    BoerenkoolMetWorst Registered Member

    Joined:
    Dec 22, 2009
    Posts:
    3,764
    Location:
    Outer space
    Nice to see the site now supports most of the tested for features :)

    @Brosephine
    If you look at the results on Securityheaders, the HTTPS version supports all the same features the HTTP version supports, meaning it is just as secure(even more obviously because your traffic is encrypted on HTTPS.) The reason the grade is lower, is that Securityheaders checks for 2 additional features on HTTPS sites that are related to HTTPS and so it would make no sense to test for them as well on HTTP sites.
     
  14. Brosephine

    Brosephine Registered Member

    Joined:
    Dec 4, 2015
    Posts:
    143
    Location:
    lo·ca·tion (noun) "a particular place or position"
    Okay so HTTPS. Thanks.
    Oh I see what you mean. I'm new to all this and am trying to understand it all. Thaks
     
Loading...