Test Retreat

Welcome to the homepage of Kris Corbus

Archive for the tag “HTTP security headers”

Security and WordPress

keytrust2

Week ago I learned about security headers  and found weaknesses of this blog. In my previous post I did not write, that beside mine I checked other websites, which I know are run by WordPress. All of them have the same problems. No matter where the WordPress page is hosted or stored. I contacted Happiness Engineers and got feedback that my question will be forwarded to Network Engineers. Still waiting for an answer from them.

One thing what made me especially concerned was the blog post “stopmullware-on-the-security-of-27-of-the-websites-on-the-internet” written by Scott Arciszewski, which got deleted shortly after I read it – the post was about priorities of Automattic, hint – security is not one of them. Here are some tweets which should explain why it was deleted:

Use Google and read yourself who is Scott and what he does. And make your own picture of the situation.

But Scott is not the only one who is alarmed. Here is another article about WordPress vulnerability. In fact I have a feeling that suddenly everyone writes about how insecure is WordPress. German media people seem to be little slow – they are informing about update bug just now.

Long story short – I spent whole week reading and understanding how it works all together – touched certificates and domains as well. My aim was to find out, what can I do to improve the security of my website. My current answer – as long as I use WordPress, I cannot fix security header issues. But optimist inside me is really looking forward to WordPress Network Engineer answer. May be there is a way.

#30daysofsecuritytesting – Task XVIII

screen-shot-2017-02-13-at-23-46-14

All previous posts in this series: I, II, IV, V, VII, IX, X, XXX

Task 15: Write and share ideas for security testing via twitter or a blog
Task 18: Learn about Security Headers

Oh, people, this challenge is a real challenge! I use to write one two blog posts a week, my wish to document my learnings is making me difficulties. I had the most beautiful weekend with my family on the hill and now I am missing several tasks. It is what it is. I move on and tick off two tasks.

So. Security Headers. The first thing I wanted to do was to scan my own website. I thought it will be short check and then I move on, but instead of that I happened this>

I started with scan on security headers – free website, which analyses headers, build and run by Scott Helme. The scan showed some problems with headers and I started to research – should I panic or not.

With help of developer tools, I checked network/headers on Safari, Chrome and FireFox. Every browser shows the header information differently. Chrome at the beginning appeared as the less valuable, but then I discovered tabs “security” and “audits” and it changed my top3.

With help of Chrome I learned tonight about also about Wildcard or Multi-Domain (SAN) Certificates and websites with whom I share it. Chrome audit showed that I have 2237 unused CSS rules. Will need to decide what to do with that…

All together this task was very useful. I learned a lot and got long to do list what to improve to my website.

At the end – Automattic has good humour:
screen-shot-2017-02-14-at-00-48-59

From the other side – my header has ad for Automattic and I am not OK with that.

Post Navigation