Mozilla observatory

Kirby 2 Solved ✅
1

In the latest Kosmos it’s a link to Mozilla observatory. Interesting!

I just tested it:

https://observatory.mozilla.org/analyze.html?host=vardagsfinans.se

I hope that “F” means “Fucking awesome!!” but I fear not. :wink:

If anyone feeling hardcore and know how to fix some of the issues with the htaccess (or anything else), it would be nice.

Here is the list:

  • Content Security Policy
  • Cookies
  • Cross-origin Resource Sharing
  • HTTP Public Key Pinning
  • HTTP Strict Transport Security
  • Redirection
  • Subresource Integrity
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

Redirection

To contribute I can tell you how to fix this one:

RewriteCond %{HTTP_HOST} ^www\. [NC,OR]
RewriteCond %{HTTPS} off
RewriteCond %{HTTP_HOST} ^(?:www\.)?(.+)$ [NC]
RewriteRule ^ https://%1%{REQUEST_URI} [R=301,L,NE]

Source: https://github.com/jenstornell/kirby-htaccess-rules/blob/master/redirect-to-https-without-www.conf

2

Most of failed passes relate to the website not being accessed via https, so the best you can do is get yourself a certificate :wink:

Also see here: OWASP Secure Headers Project | OWASP Foundation

3

Alright! I also have a site in production that is not yet released to the big public (but I’ve added a license key to it now).

It has https with Let’s encrypt.

https://observatory.mozilla.org/analyze.html?host=modehallen.se

It fails on:

  • Content Security Policy
  • HTTP Strict Transport Security
  • X-Content-Type-Options
  • X-Frame-Options
  • X-XSS-Protection

What passed:

  • Cookies
  • Cross-origin Resource Sharing
  • Redirection

Optional:

I guess there is often no reason to care about these:

  • HTTP Public Key Pinning
  • Subresource Integrity
4

See the getkirby.com website for an example: https://github.com/getkirby/getkirby.com/blob/master/site/config/config.getkirby.com.php

https://observatory.mozilla.org/analyze.html?host=getkirby.com

2 Likes
5

That’s a great simple reference. Thanks! :slight_smile: