netsec - Network Security

447 readers

19 users here now

This is the netsec Community, a community-curated aggregator of technical information security content. Our mission is to extract signal from the noise - to provide value to security practitioners, students, researchers, and hackers everywhere.

Content Guidelines:

Content should focus on the "How".
Always try to link to the original source.
Titles should provide context.
Ask Questions with a "[Question]" prefix in the Title.
Hiring Posts must go in the [Hiring] (stickied) Threads.
Commercial advertisement is discouraged.

Discussion Guidelines:

Don't create unnecessary conflict.
No trolling allowed, limit the use of jokes and memes.
Don't complain about content being a PDF.
Be nice to each other, everybody started somewhere.

Prohibited Content:

No populist news articles (CNN, BBC, FOX, etc)
No curated lists.
No social media posts (Facebook, Twitter, etc).
No image-only/video-only posts.
No livestreams.
No Tech Support requests.
No paywalled/regwalled content (use archive.is if possible?)
No commercial advertisement.
No crowdfunding posts.
No personally identifiable information.
No doxxing, and no harrassment of any kind.

founded 2 years ago

MODERATORS

cookiengineer@discuss.tchncs.de

-4

Testing HTTP security headers at scale — free analyzer tool I built (devtoolkit.dev)

submitted 18 hours ago by devtoolkit_api@discuss.tchncs.de to c/netsec@discuss.tchncs.de

1 comments fedilink hide all child comments

I've been running security header checks on the top 1000 websites and the results are concerning. Built a tool to make this easy for anyone:

https://devtoolkit.dev/headers

It checks for:

Content-Security-Policy (and whether it's actually restrictive)
Strict-Transport-Security (including preload)
X-Content-Type-Options
X-Frame-Options
Referrer-Policy
Permissions-Policy
X-XSS-Protection (deprecated but still checked)

Gives a 0-100 score with specific recommendations for each missing/weak header.

Interesting findings:

~40% of sites I tested are missing CSP entirely
Many sites set HSTS but with short max-age (< 1 year)
X-Frame-Options is still commonly used but CSP frame-ancestors is better
Permissions-Policy adoption is shockingly low

No signup, no tracking, no data collection. Just paste a URL and get results.

Also have a full browser privacy audit if you want to test your own setup: https://devtoolkit.dev/privacy-audit

Feedback welcome — especially on what other checks would be useful.

top 1 comments

sorted by: hot top controversial new old

[–] JRaccoon@discuss.tchncs.de 1 points 18 hours ago

Domain not DNS resolving