Mozilla Launches Free Website Security Testing Service

Mozilla security engineer April King released a project called Observatory, a free website security scanning utility, similar to SSL Labs and High-Tech Bridge's scanning service.

The service, working on top of a Python codebase made available on GitHub, has been under development for months and was approved for a public launch only yesterday.

Observatory is aimed at developers, system administrators, and security professionals that want to configure sites to use modern security protocols.

Service uses A to F scores to grade website security

Observatory scans for the presence of basic security features and then gives out a grade from 0 to 130, which is then converted into an A to F score.

In its current form, the service scans for the following: [1] Content Security Policy (CSP) status, [2] cookie files using Secure flag, [3] Cross-Origin Resource Sharing (CORS) status, [4] HTTP Public Key Pinning (HPKP) status, [5] HTTP Strict Transport Security (HSTS) status, [6] the presence of an automatic redirection from HTTP to HTTPS, [7] Subresource Integrity (SRI) status, [8] X-Content-Type-Options status, [9] X-Frame-Options (XFO) status, and [10] X-XSS-Protection status.

All basic security recommendations, albeit extremely hard to implement, a reason why many websites still don't use them.

Over 91% of current websites fail Observatory's tests

According to King, who performed automatic scans of over 1.3 million websites, over 91 percent of modern-day websites fail Observatory's tests.

"When nine out of 10 websites receive a failing grade, it’s clear that this is a problem for everyone. And by “everyone”, I’m including Mozilla — among our thousands of sites, a great deal of them fail to pass," King wrote yesterday, revealing that Observatory was developed to help Mozilla tests their own domains first.