Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: SSL Labs vs. SecurityHeaders.io - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
SSL Labs vs. SecurityHeaders.io
Hello -

I am in an argument for a company we hired to create a web-site (strictly content). One of the things I asked for was that the web-site must score a B or higher at both https://casecurity.ssllabs.com and https://securityheaders.io . The web-site went live, then I ran the tests. We were getting a C on SSL Labs, and an F by SecurityHeaders. I told them they have to fix it. Now we are getting a B a SSL Labs and still getting an F at Securityheaders. I told them that needed to be fixed, but they are refusing, saying that a B from SSL Labs proves the web-site is secure. According to SecurityHeaders they need to add the following headers:

Strict-Transport-Security
Content-Security-Policy
X-Frame-Options
X-XSS-Protection
X-Content-Type-Options
Referrer-Policy
Feature-Policy

As a former software engineer I think is should be relatively easy to add them, and it is necessary. I wanted to get the opinion of others. Should web-sites score a B or better on both, or is it still secure if it scores an F on one? Am I being unreasonable by requiring at least a B on both?
Anonymous

Sign Up for Free or Log In to start participating in the conversation!