Hello - I am in an argument for a company we hired to create a web-site (strictly content). One of the things I asked for was that the web-site must score a B or higher at both https://casecurity.ssllabs.com and https://securityheaders.io . The web-site went live, then I ran the tests. We were getting a C on SSL Labs, and an F by SecurityHeaders. I told them they have to fix it. Now we are getting a B a SSL Labs and still getting an F at Securityheaders. I told them that needed to be fixed, but they are refusing, saying that a B from SSL Labs proves the web-site is secure. According to SecurityHeaders they need to add the following headers: Strict-Transport-Security Content-Security-Policy X-Frame-Options X-XSS-Protection X-Content-Type-Options Referrer-Policy Feature-Policy As a former software engineer I think is should be relatively easy to add them, and it is necessary. I wanted to get the opinion of others. Should web-sites score a B or better on both, or is it still secure if it scores an F on one? Am I being unreasonable by requiring at least a B on both? |
Anonymous |
thread locked Quote Subscribe |
Sep 7th 2018 2 years ago |
Sign Up for Free or Log In to start participating in the conversation!