Skip to main content

Security

The importance of security should be straightforward, it is meant to keep you safe from cyberattacks. This report is the place where you can improve in order to keep your page as secure as possible.

tip

See how Wattspeed checks your security and why it is so important.

JS Vulnerabilities

Some JavaScript libraries can contain vulnerabilities and depending on the version you’re using, the vulnerabilities may have been patched or others may have been introduced along the way. Certainly, there are many websites out there which use popular frontend libraries known to be vulnerable to XSS, prototype pollution, command injection, etc. These vulnerabilities can alter the website and even disclose sensitive information to attackers. You will see a green checkmark next to the vulnerability section if no vulnerabilities have been detected, or a table listing the affected libraries. To display additional information, click on the library name or expand the listing for quick reference. Mitigations usually include updating to a newer version, if possible, or replacing the affected library entirely.

Vulnerabilities in Wattspeed

Response Headers

HTTP headers strengthen a website's security. They help prevent cross-scripting attacks and other threats.

Response Headers in Wattspeed

Security headers can prevent or restrict what the browser is allowed to do. Limiting browser functionality is not meant to restrict your application, but rather make sure the content is loaded only from intended sources and that overall the application performs the way it was supposed to.

  • Strict-Transport-Security: HSTS header forces browsers to access the website through HTTPS.
  • Content-Security-Policy: CSP header defines allowed sources by content type (e.g. text, images), helping against certain types of attacks, like Cross-Site Scripting (XSS) and data injection attacks.
  • X-Frame-Options: XFO header indicates whether the website allows the browser to render its pages in a frame. Blocking framing avoids clickjacking attacks. The frame-ancestors directive defined in Content-Security-Policy obsoletes this header for supporting browsers.
  • X-Content-Type-Options: Server uses this marker to specify that the MIME types used in the Content-Type headers should be respected and not be changed to avoid MIME type sniffing.
  • Referrer-Policy:controls which referrer information should be included with the requests.
  • Permissions-Policy: has the ability to allow or block browser features and APIs (e.g. access the camera, Geolocation).

How we calculate your security headers score

Security scans for a list of 6 response headers, and it checks whether a certain header was sent by the server. Points are rewarded based on the severity of the headers which are set, except for the Strict-Transport-Security header, which is excluded over an HTTP connection.

The highest grade you can get is an A+ and the lowest is an F.

  • A+ for a score equal to or higher than 100
  • A for a score equal to or higher than 75
  • B for a score equal to or higher than 60
  • C for a score equal to or higher than 50
  • D for a score equal to or higher than 20
  • E for a score equal to or higher than 10
  • F for a score equal to or higher than 0

Security headers are scored as follows:

  • Strict-Transport-Security adds 25 points
  • Content-Security-Policy adds 25 points
  • X-Frame-Options adds 20 points
  • X-Content-Type-Options adds 10 points
  • Referrer-Policy adds 10 points
  • Permissions-Policy adds 10 points

SSL

Information about the certificate chain and validity.

SSL in Wattspeed

Testing SSL involves a series of checks, where the main targeted aspects are the certificate chain and server configuration (protocols & ciphers).

How do we score a website's SSL scan?

The standard grading is from A+ to F, however there is an additional grade (T) when a certificate is not trusted. Certificates act as a proof of identity for a server and are used to confirm whether communication endpoints are really who they say they are. Failing to do so can render the whole security of the connection vulnerable (man-in-the-middle attack), regardless of having a good server configuration or not.

Grades are awarded as follows: A+ for a score equal to or higher than 95 A for a score equal to or higher than 80 B for a score equal to or higher than 65 C for a score equal to or higher than 50 D for a score equal to or higher than 35 E for a score equal to or higher than 20 F for a score equal to or higher than 0

danger

An incorrect certificate will bring the total score to 0