security score

tedo · January 16, 2021, 7:38am

how to make the security score get an A on the webpagetest
my website https://www.tedorentcar.com/

OlleN · February 1, 2021, 5:11pm

If you click on the security score, you can see more info, or just read more here.

It’s about setting some headers that improve the security of your site by controlling how and from where resources are loaded. You probably need to use a htaccess file.

The exact settings depend on your setup and configuration. For example, if you want to set a Content Security Policy and you use third-party resources, you need to add those domains to your CSP. You should read more about each header before you attempt to implement them.

HTTP Strict Transport Security (HSTS)
HSTS: This is a header to only allow https connections. This ensures that no resources are loaded via the unencrypted HTTP protocol.

Content Security Policy (CSP)
CSP specifies which domains resources can be loaded from, to ensure there are no surprises. It needs to be updated any time you add a new external resource.

X-Content-Type-Options
Blocks requests of files that don’t match the file type, for example requesting .CSS as anything other than a style sheet. This prevents spoofed executables/code from being executed.

X-XSS-Protection
Attempts to block ongoing cross-site scripting attacks. Only needed if no CSP is set.

X-Frame-Options
Blocks external websites from embedding your website in an iframe. This prevents clickjacking and spoofing.

I also recommend this security test: Analyze | Webbkoll - dataskydd.net

TamarSolutions · February 7, 2021, 11:23am

Hi, Have you edited .htaccess before? You can easily achieve a better grade by adding lines like below. This will give you an A+ BUT make sure the settings for each line are what you want for your domain.

Header set X-XSS-Protection “1; mode=block”
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
Header set Strict-Transport-Security “max-age=31536000” env=HTTPS
Header set Referrer-Policy “no-referrer-when-downgrade”
Header set Permissions-Policy geolocation=(), midi=(), camera=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=(), microphone=()
Header set Content-Security-Policy frame-ancestors ‘self’
Header set X-Permitted-Cross-Domain-Policies “none”
Header set Expect-CT enforce, max-age=31536000

Hope this helps.

RAMON_COLE · April 19, 2021, 4:01pm

Hi,

Joined up on here purely to thank @TamarSolutions for their .htaccess edit mentioned above.

Never been a fan of the perpetual ‘F’ in the security settings, and the .htaccess edit above indeed turns the ‘F’ into an ‘A+’.

Topic		Replies	Views
Security score is F but I have ssl Support	3	471	August 13, 2021
Security Score help! Discuss Test Results	1	247	May 14, 2020
Security Score General Discussion	3	197	October 1, 2020
Firefox, SSL/HTTP2 and add/setHeader scripting issue Support	2	120	October 11, 2016
Unexpected results testing https site Discuss Test Results	3	113	March 16, 2011

security score

Related Topics