Security Checks

Ensure that your site is following best practices.

Basic Security

Don't load resources from hosts with known phishing or malware

Servers that host malware or known phishing sites are likely to be compromised or be run by malicious actors. Resources from these hosts should never be loaded as they may contain payloads or malware designed to target users of your website.

View Details
Don't expose risky services

Risky services are those that have a high potential for misuse or targeting by malicious actors. These can include management consoles, remote desktop / remote administration applications, and other services and applications that perform privileged tasks. Exposing these services to the internet greatly increases the likelihood of a breach. Consider disabling these services if they are not needed, or moving them behind a Virtual Private Network (VPN) where they can only be accessed by authorized users of the network.

View Details
Don't host malware or phishing content

It is important to remove malware or phishing content and take steps to prevent users from uploading it to a website. This content may be intended to target users of your site or others. By hosting malware and phishing content, the site may be blacklisted by Google and others and result in the site being delisted or banned from these services.

View Details
Don't use obsolete technologies

Obsolete technologies are those that are no longer supported by a vendor or contain critical vulnerabilities. Running these technologies put you at serious risk of compromise.

View Details

Transmit Data Securely

Use a valid SSL certificate

A valid SSL certificate ensures that traffic between the site and the user is secure and can be trusted. If the certificate is not valid, users will not be able to determine whether they are communicating with the legitimate website or one that is controlled by a malicious actor.

View Details
Don't use any bad ciphers

Bad or weak SSL ciphers and protocol versions are vulnerable to a number of attacks that can degrade or bypass the protection they’re intended to provide. This could ultimately result in malicious actors being able to intercept secure traffic between a user and the website. It is recommended to disable the use of all bad/weak SSL ciphers and protocol versions.

View Details
Loads all scripts via HTTPs

All 3rd party Javascript assets that are loaded should be requested securely via HTTPS. The HTTP protocol transmits information over plaintext and can be tampered with by malicious actors. Loading scripts over HTTPS prevents a Man in The Middle (MiTM) vulnerability where an attacker modifies the Javascript that is being sent and replaces it with a malicious payload designed to target users of the website.

View Details
Send form submissions over HTTPS

Form submissions often include sensitive account details, payment card information, and PII that should remain protected during transmission. Form submissions that take place over the HTTP protocol are unencrypted and transmitted in plaintext. Ensuring that all form submissions take place over HTTPS prevents malicious actors from intercepting the information during transmission.

View Details
Don't send sensitive information via GET method

Sensitive information provided via the GET method is not considered secure because it may be stored or transmitted in a number of ways. These may include web/server logs, the Referer header, browser history/cache, and more. Sensitive information such as usernames, passwords, tokens, keys, and payment card details should only be transmitted via secure POST forms over HTTPS.

View Details

Use HTTP Security Headers

Use a content-security-policy HTTP header

The HTTP Content-Security-Policy response header allows website administrators to control resources the user agent is allowed to load for a given page. With a few exceptions, policies mostly involve specifying server origins and script endpoints. This helps guard against cross-site scripting attacks (Cross-site_scripting).

View Details
Use a x-content-type-options HTTP header

The X-Content-Type-Options header helps protect users of a website from MIME sniffing vulnerabilities. These vulnerabilities occur on sites where malicious users are able to upload files that are disguised as another file type. Enabling this secure response header prevents the user's browser from making a guess as to what type of file they are requesting, and instead relies on the server to provide the Content-Type.

View Details
Use a x-frame-options HTTP header

The X-Frame-Options header informs the web browser how it is allowed to render the page that is being requested. This prevents Clickjacking vulnerabilities, where a malicious actor crafts a web page that redirects mouse clicks and keystrokes in a way that allows them to capture sensitive information or perform unauthorized actions on behalf of the user.

View Details
Use a referrer-policy HTTP header

The Referrer-Policy header controls what information is used in the Referer header when connecting to 3rd party sites. The Referer header contains URL information about the last page a user was on before clicking a link. Lack of a Referrer-Policy could result in sensitive personal or account information being transmitted through GET requests.

View Details
Use a permissions-policy HTTP header

The HTTP Permissions-Policy header provides a mechanism to allow and deny the use of browser features in its own frame, and in content within any <iframe> elements in the document.

View Details