Mozilla Foundation security engineer April Knight released a project she calls Observatory. Observatory is a free auxiliary website security scanner, similar to scanning services SSL Labs and High-Tech Bridge.
The service has been deployed with Python and is available in GitHub. It was under development for months and was approved for public release just yesterday.
Observatory is aimed at developers, system administrators, and security professionals who want to configure websites that use modern security protocols.
The Observatory scans each website for the presence of key security features and then scores it with points from 0 to 130, which it then converts into a score from A to F.
In its current format, the script scans and scores for the following services:
Content Security Policy (CSP) status,
cookie files using Secure flag,
Cross-Origin Resource Sharing (CORS) status,
HTTP Public Key Pinning (HPKP) status,
HTTP Strict Transport Security (HSTS) status,
percentage of automatic redirection from HTTP to HTTPS,
Subsource Integrity (SRI) status,
X-Content-Type-Options status,
X-Frame-Options (XFO) status, and
X-XSS-Protection status.
According to Knight, who has authored more than 1,3 millions of websites, more than 91% of modern websites fail on CBServatory's tests.
Download the script
