OT: Am I just having a very bad week or is this profession practically becoming impossible to work within?

First of all Os, 'cheers' enjoy the beer, (it's the only answer I have found that works ).

The entire set-up of web development has now reached 'joke' proportions for the small development team, or developer working alone.

pziecina  wrote First of all Os, 'cheers' enjoy the beer, (it's the only answer I have found that works ). The entire set-up of web development has now reached 'joke' proportions for the small development team, or developer working alone.

Problem is clients now think you are an expert in everything, not just producing webpages, which in itself is an expert discipline, done corrcetly. This stuff is server set up related, nothing that I know anything about. I just told them to employ a server expert to produce a report and configure their server stuff at a cost of probably many hundreds of pounds, not heard anything since.....as soon as they think something is going to cost something they gernerally go away, in my experience.

Im just a bit fed up with dealing with dumb people. If they had taken the trouble and effort to test as many sites as I did they probably would have got the message, more fail than pass.

pziecina  wrote Just though you would like to know - adobe.com gets a 'D'. w3.org gets a 'F'. amazon, (both uk and us) gets a 'D'. and all the other major sites I checked, none get higher than a 'D'.

Exactly, I too checked adobe and some others. How big a security issue can it be if the biggest players on the planet fail the test mostly or completley.

And those that pass with flying colors its probably not by design either its just probably the default settings on the server they are housed on.

Rant over!

Another item you could point out is that the x-frame meta tag used to 'break out of frames', is invalid code.

Reading the items the site flags as a problem, it is probably more to do with the sites owner/company trying to justify what they do. After all if they said everything was not essential they would get no clients.

Most of what they flag as a problem, would only be a problem if it was on the back-end of a secure section of a site. But as they cannot check that, they have opted for the everything is a problem approach.

pziecina  wrote Another item you could point out is that the x-frame meta tag used to 'break out of frames', is invalid code. Reading the items the site flags as a problem, it is probably more to do with the sites owner/company trying to justify what they do. After all if they said everything was not essential they would get no clients.

Thats really how it comes across to me to be honest. Sponsored by a security site which doesnt meet all the requirements of his own checker, you'd think the bloke would have at least checked his sponsor adhered to what he is suggestion. It amazes me how people can be found out all too easy. I guess money really does speak louder than words.

pziecina  wrote Most of what they flag as a problem, would only be a problem if it was on the back-end of a secure section of a site. But as they cannot check that, they have opted for the everything is a problem approach.

To be honest I dont understand any of it. I just know that when I do my research and that research shows by far the majority of websites fail it cant be viewed as much of an issue.

It is not too hard to set the rules in .htaccess as can be verified by

The Referrer-Policy is fairly new, I'll dive into that when I get the time

BenPleysier  wrote It is not too hard to set the rules in .htaccess as can be verified by The Referrer-Policy is fairly new, I'll dive into that when I get the time

Really, I didnt read any information about using htaccess to set anything when linked to the suggestions being made. I was looking as simple way to deploy the suggestions. It came across to me as this would be something necessary to be executed on the server setting itself.

Any chance of sharing the bits in the htaccess file that are getting you four passes?

Ok Ive found a ton of information by Googling now about using the htaccess file to accomplish this. It seems reasonably easy to implement at least some of the suggestions. I might give it a go at some point.

Not sure why the guy who's checker it is was making it sound beyond my capabilites......probably can make a guess though. I had zero idea what he was speaking about whereas if you Google the subject its as clear as crystal....copy this script and paste.

So why do so many websites just not include this extra level of security as there are even meta tags, not that I've even come across them before, that can be used as well.........hummm

osgood_  wrote Any chance of sharing the bits in the htaccess file that are getting you four passes?

Have a look at html5-boilerplate/.htaccess at master · h5bp/html5-boilerplate · GitHub starting at line 421

• line 423 Clickjacking
• line 473 CSP
• line 569 HSTS
• line 638 XSS

Oops, page refused to render, had to undo the changes.

BenPleysier  wrote Oops, page refused to render, had to undo the changes.

No worries your post has given me some options by Googling the subject using htaccess, thanks.

Can I ask why you implemented them as your website seems in the minority of websites that has?

How important are they to include really?

Os

The major sites probably do not implement them due to the amount of traffic they have. Every htaccess rule that must be checked takes up server response time, which for a small site will not matter, but for a site getting millions of hits per day, the response time will become noticeably slower.

Plus don't forget, a 'denial of service' attack relies on slowing server response time, so the fewer headers one has, the bigger the chances are of such an attack failing, (or being caught by the server admin).

It's stupid though, when my page did not render when I applied the CSP, I could still see the code and use F12 to find the problem.

I have to agree (for the moment, mainly because of my lack of knowledge regarding the subject) that  it is pointless to add the headers in an .htaccess file. If this is such an issue, it would make more sense if the host manipulated the config file.

BenPleysier  wrote I have to agree (for the moment, mainly because of my lack of knowledge regarding the subject) that  it is pointless to add the headers in an .htaccess file. If this is such an issue, it would make more sense if the host manipulated the config file.

Agreed, (not about your lack of knowledge though ).

I can see the sense in checking these things for a secure back-end, but for the section of a site open to everyone I think it is probably overkill.

pziecina  wrote The major sites probably do not implement them due to the amount of traffic they have. Every htaccess rule that must be checked takes up server response time, which for a small site will not matter, but for a site getting millions of hits per day, the response time will become noticeably slower. Plus don't forget, a 'denial of service' attack relies on slowing server response time, so the fewer headers one has, the bigger the chances are of such an attack failing, (or being caught by the server admin).

Ok, that makes sense............I'll go with the majority of sites I've tested so far, which don't seem to think they are too important to include. Obviously its good if you can get everything perfect but there are other aspect to consider if its likely to cause some kind of disruption to a previously working website.

I must thank you for bringing the subject up, before now, I had not used the security headers despite them being commented out in my .htaccess file.

I am still having an issue with CSP (Content-Security-Policy) because it considers inline code to be harmful. It's getting on to 02:15 am and will leave it while I have a nap.

BenPleysier  wrote I am still having an issue with CSP (Content-Security-Policy) because it considers inline code to be harmful. It's getting on to 02:15 am and will leave it while I have a nap.

I think that was an issue I had when reading the guys suggestions about each security header - you needed to be mindful of what coding you're using. I can't be sure that there is no inline coding at all through-out the site because I do deploy it ocassionally where only the one or two elements need it rather than write a css selector.

I might just keep these security headers in mind rather than deploy any for the time being. At least I now know some more information about them if the question pops up again.

I think for the kind of sites I produce they can probably survive without them.

Os

The best solution to everything is to use https, and not http.

The referer policy looks like it may be open to debate though, as the 'red' section of the MDN page shows -

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

pziecina  wrote adobe.com gets a 'D'. w3.org gets a 'F'. amazon, (both uk and us) gets a 'D'. and all the other major sites I checked, none get higher than a 'D'.

+ including government sites, global credit card companies and banks.

https://forums.adobe.com/people/Nancy+OShea  wrote Yes,  the web is getting ridiculous as are the clients we must work with. Thanks to Peru Bob for posting this amusing little video entitled The Expert. The Expert (Short Comedy Sketch) - YouTube

Brilliant! A lot like the meeting I was in a couple of weeks ago. I nearly announced my retirement right there and then, believe me!