Highlighted

OT: Am I just having a very bad week or is this profession practically becoming impossible to work within?

LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

Ive just had a client test their website on this bit of kit:

https://securityheaders.io/

and they are not happy at the missing headers.

I run a test on 50 other sites, some within their specific discipline and 45 out of 50 all exhibit the exact same missing header information

The only websites where some of the  suggestions are implemented are big banks and google adheres to a couple.

WTF is going on these days?

Os

Views

735

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

OT: Am I just having a very bad week or is this profession practically becoming impossible to work within?

LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

Ive just had a client test their website on this bit of kit:

https://securityheaders.io/

and they are not happy at the missing headers.

I run a test on 50 other sites, some within their specific discipline and 45 out of 50 all exhibit the exact same missing header information

The only websites where some of the  suggestions are implemented are big banks and google adheres to a couple.

WTF is going on these days?

Os

Views

736

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

LOL whats even more of a joke the company that sponsors that bit of kit Sophos fails 2 of the tests!

Ok Im going back into the garden to soak up the sunshine I cant be dealing with ths crap anymore.

Os

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

First of all Os, 'cheers' enjoy the beer, (it's the only answer I have found that works ).

The entire set-up of web development has now reached 'joke' proportions for the small development team, or developer working alone.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

pziecina  wrote

First of all Os, 'cheers' enjoy the beer, (it's the only answer I have found that works ).

The entire set-up of web development has now reached 'joke' proportions for the small development team, or developer working alone.

Problem is clients now think you are an expert in everything, not just producing webpages, which in itself is an expert discipline, done corrcetly. This stuff is server set up related, nothing that I know anything about. I just told them to employ a server expert to produce a report and configure their server stuff at a cost of probably many hundreds of pounds, not heard anything since.....as soon as they think something is going to cost something they gernerally go away, in my experience.

Im just a bit fed up with dealing with dumb people. If they had taken the trouble and effort to test as many sites as I did they probably would have got the message, more fail than pass.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

Just though you would like to know -

adobe.com gets a 'D'.

w3.org gets a 'F'.

amazon, (both uk and us) gets a 'D'.

and all the other major sites I checked, none get higher than a 'D'.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

pziecina  wrote

Just though you would like to know -

adobe.com gets a 'D'.

w3.org gets a 'F'.

amazon, (both uk and us) gets a 'D'.

and all the other major sites I checked, none get higher than a 'D'.

Exactly, I too checked adobe and some others. How big a security issue can it be if the biggest players on the planet fail the test mostly or completley.

And those that pass with flying colors its probably not by design either its just probably the default settings on the server they are housed on.

Rant over!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

Another item you could point out is that the x-frame meta tag used to 'break out of frames', is invalid code.

Reading the items the site flags as a problem, it is probably more to do with the sites owner/company trying to justify what they do. After all if they said everything was not essential they would get no clients.

Most of what they flag as a problem, would only be a problem if it was on the back-end of a secure section of a site. But as they cannot check that, they have opted for the everything is a problem approach.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 19, 2018

Copy link to clipboard

Copied

It is not too hard to set the rules in .htaccess as can be verified by

The Referrer-Policy is fairly new, I'll dive into that when I get the time


Ben

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

pziecina  wrote

Another item you could point out is that the x-frame meta tag used to 'break out of frames', is invalid code.

Reading the items the site flags as a problem, it is probably more to do with the sites owner/company trying to justify what they do. After all if they said everything was not essential they would get no clients.

Thats really how it comes across to me to be honest. Sponsored by a security site which doesnt meet all the requirements of his own checker, you'd think the bloke would have at least checked his sponsor adhered to what he is suggestion. It amazes me how people can be found out all too easy. I guess money really does speak louder than words.

pziecina  wrote

Most of what they flag as a problem, would only be a problem if it was on the back-end of a secure section of a site. But as they cannot check that, they have opted for the everything is a problem approach.

To be honest I dont understand any of it. I just know that when I do my research and that research shows by far the majority of websites fail it cant be viewed as much of an issue.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

BenPleysier  wrote

It is not too hard to set the rules in .htaccess as can be verified by

The Referrer-Policy is fairly new, I'll dive into that when I get the time

Really, I didnt read any information about using htaccess to set anything when linked to the suggestions being made. I was looking as simple way to deploy the suggestions. It came across to me as this would be something necessary to be executed on the server setting itself.

Any chance of sharing the bits in the htaccess file that are getting you four passes?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 19, 2018

Copy link to clipboard

Copied

Oops, page refused to render, had to undo the changes.


Ben

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

The best solution to everything is to use https, and not http.

The referer policy looks like it may be open to debate though, as the 'red' section of the MDN page shows -

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referer

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

Ok Ive found a ton of information by Googling now about using the htaccess file to accomplish this. It seems reasonably easy to implement at least some of the suggestions. I might give it a go at some point.

Not sure why the guy who's checker it is was making it sound beyond my capabilites......probably can make a guess though. I had zero idea what he was speaking about whereas if you Google the subject its as clear as crystal....copy this script and paste.

So why do so many websites just not include this extra level of security as there are even meta tags, not that I've even come across them before, that can be used as well.........hummm

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

BenPleysier  wrote

Oops, page refused to render, had to undo the changes.

No worries your post has given me some options by Googling the subject using htaccess, thanks.

Can I ask why you implemented them as your website seems in the minority of websites that has?

How important are they to include really?

Os

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

The major sites probably do not implement them due to the amount of traffic they have. Every htaccess rule that must be checked takes up server response time, which for a small site will not matter, but for a site getting millions of hits per day, the response time will become noticeably slower.

Plus don't forget, a 'denial of service' attack relies on slowing server response time, so the fewer headers one has, the bigger the chances are of such an attack failing, (or being caught by the server admin).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 19, 2018

Copy link to clipboard

Copied

I must thank you for bringing the subject up, before now, I had not used the security headers despite them being commented out in my .htaccess file.

I am still having an issue with CSP (Content-Security-Policy) because it considers inline code to be harmful. It's getting on to 02:15 am and will leave it while I have a nap.


Ben

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 19, 2018

Copy link to clipboard

Copied

It's stupid though, when my page did not render when I applied the CSP, I could still see the code and use F12 to find the problem.

I have to agree (for the moment, mainly because of my lack of knowledge regarding the subject) that  it is pointless to add the headers in an .htaccess file. If this is such an issue, it would make more sense if the host manipulated the config file.


Ben

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

BenPleysier  wrote

I have to agree (for the moment, mainly because of my lack of knowledge regarding the subject) that  it is pointless to add the headers in an .htaccess file. If this is such an issue, it would make more sense if the host manipulated the config file.

Agreed, (not about your lack of knowledge though ).

I can see the sense in checking these things for a secure back-end, but for the section of a site open to everyone I think it is probably overkill.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

BenPleysier  wrote

I am still having an issue with CSP (Content-Security-Policy) because it considers inline code to be harmful. It's getting on to 02:15 am and will leave it while I have a nap.

I think that was an issue I had when reading the guys suggestions about each security header - you needed to be mindful of what coding you're using. I can't be sure that there is no inline coding at all through-out the site because I do deploy it ocassionally where only the one or two elements need it rather than write a css selector.

I might just keep these security headers in mind rather than deploy any for the time being. At least I now know some more information about them if the question pops up again.

I think for the kind of sites I produce they can probably survive without them.

Os

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
LEGEND ,
Apr 19, 2018

Copy link to clipboard

Copied

pziecina  wrote

The major sites probably do not implement them due to the amount of traffic they have. Every htaccess rule that must be checked takes up server response time, which for a small site will not matter, but for a site getting millions of hits per day, the response time will become noticeably slower.

Plus don't forget, a 'denial of service' attack relies on slowing server response time, so the fewer headers one has, the bigger the chances are of such an attack failing, (or being caught by the server admin).

Ok, that makes sense............I'll go with the majority of sites I've tested so far, which don't seem to think they are too important to include. Obviously its good if you can get everything perfect but there are other aspect to consider if its likely to cause some kind of disruption to a previously working website.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 19, 2018

Copy link to clipboard

Copied

osgood_  wrote

Any chance of sharing the bits in the htaccess file that are getting you four passes?

Have a look at html5-boilerplate/.htaccess at master · h5bp/html5-boilerplate · GitHub starting at line 421

  • line 423 Clickjacking
  • line 473 CSP
  • line 569 HSTS
  • line 638 XSS

Ben

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Mentor ,
Apr 19, 2018

Copy link to clipboard

Copied

pziecina  wrote

adobe.com gets a 'D'.

w3.org gets a 'F'.

amazon, (both uk and us) gets a 'D'.

and all the other major sites I checked, none get higher than a 'D'.

+ including government sites, global credit card companies and banks.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 19, 2018 0
Adobe Community Professional ,
Apr 29, 2018

Copy link to clipboard

Copied

Yes,  the web is getting ridiculous as are the clients we must work with.

Thanks to Peru Bob for posting this amusing little video entitled The Expert.

The Expert (Short Comedy Sketch) - YouTube

Nancy O'Shea, ACP
Alt-Web Design & Publishing

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 29, 2018 2
osgood_ LATEST
LEGEND ,
Apr 29, 2018

Copy link to clipboard

Copied

https://forums.adobe.com/people/Nancy+OShea  wrote

Yes,  the web is getting ridiculous as are the clients we must work with.

Thanks to Peru Bob for posting this amusing little video entitled The Expert.

The Expert (Short Comedy Sketch) - YouTube

Brilliant! A lot like the meeting I was in a couple of weeks ago. I nearly announced my retirement right there and then, believe me!

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Apr 29, 2018 1