Benchmarking your HTTP security headers

Not a single piece of the Internets infrastructure seems to stand still for long anymore and after a lunchtime discussion about a HTTP header I’d never heard of, Permissions-Policy, I thought it was time to do a brief refresher on the current recommendations. Rather than looking through the recent specs and RFCs I decided to make it a little more entertaining and try to improve my SecurityHeaders.io grade.

SecurityHeaders is an awesome site that checks HTTP headers and reports on any important ones that are missing. It can also flag certain misconfigurations, such as a max-age not being set on Strict-Transport- Security. I ran a scan against both UnixDaemon.net and PuppetCookBook.com and was slightly disheartened to learn that I’d received an F on each. It’s not explicitly rated as a failure but it felt like it. Luckily each issue detected links to some clear documentation, written by the owner of the site Scott Helme, discussing the header and how you can fix it. This information, alongside the excellent content from the Mozilla HTTP header Docs was more than enough to quickly bump me up to a “B”.

List of security headers and a single letter grade.

It’s not a perfect A+ but it’s far enough to close some easy avenues with only a little time investment and for you dear readers it was worth it. If you run your own sites a periodic SecurityHeaders scan to check everything is as it should be is recommended. It’s a shame there’s no automation friendly JSON API or way to run it as a scheduled command line tool but you can’t be too picky when someone provides such a useful service for free. Also, don’t worry about my glaring knowledge gap when it came to Permissions-Policy, it’s a renamed Feature-Policy so I’m excused for this one.