devtoolkit_apiBanned to netsec - Network SecurityEnglish · 5 days ago

Testing HTTP security headers at scale — free analyzer tool I built

cross-posted to:
cybersecurity@sh.itjust.works

-4

Testing HTTP security headers at scale — free analyzer tool I built

devtoolkit_apiBanned to netsec - Network SecurityEnglish · 5 days ago

cross-posted to:
cybersecurity@sh.itjust.works

I’ve been running security header checks on the top 1000 websites and the results are concerning. Built a tool to make this easy for anyone:

https://devtoolkit.dev/headers

It checks for:

Content-Security-Policy (and whether it’s actually restrictive)
Strict-Transport-Security (including preload)
X-Content-Type-Options
X-Frame-Options
Referrer-Policy
Permissions-Policy
X-XSS-Protection (deprecated but still checked)

Gives a 0-100 score with specific recommendations for each missing/weak header.

Interesting findings:

~40% of sites I tested are missing CSP entirely
Many sites set HSTS but with short max-age (< 1 year)
X-Frame-Options is still commonly used but CSP frame-ancestors is better
Permissions-Policy adoption is shockingly low

No signup, no tracking, no data collection. Just paste a URL and get results.

Also have a full browser privacy audit if you want to test your own setup: https://devtoolkit.dev/privacy-audit

Feedback welcome — especially on what other checks would be useful.

Chat

JRaccoon
link
fedilink
English
arrow-up
1·
5 days ago
Domain not DNS resolving

netsec - Network Security

netsec

Create a post

You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !netsec@discuss.tchncs.de

This is the netsec Community, a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise - to provide value to security practitioners, students, researchers, and hackers everywhere.

Content Guidelines:

Content should focus on the “How”.
Always try to link to the original source.
Titles should provide context.
Ask Questions with a “[Question]” prefix in the Title.
Hiring Posts must go in the [Hiring] (stickied) Threads.
Commercial advertisement is discouraged.

Discussion Guidelines:

Don’t create unnecessary conflict.
No trolling allowed, limit the use of jokes and memes.
Don’t complain about content being a PDF.
Be nice to each other, everybody started somewhere.

Prohibited Content:

No populist news articles (CNN, BBC, FOX, etc)
No curated lists.
No social media posts (Facebook, Twitter, etc).
No image-only/video-only posts.
No livestreams.
No Tech Support requests.
No paywalled/regwalled content (use archive.is if possible?)
No commercial advertisement.
No crowdfunding posts.
No personally identifiable information.
No doxxing, and no harrassment of any kind.

Visibility: Public

This community can be federated to other instances and be posted/commented in by their users.

1 user / day
20 users / week
24 users / month
25 users / 6 months
161 local subscribers
450 subscribers
31 Posts
17 Comments
Modlog

mods:
cookiengineer