The Mozilla engineer April Knights has released Observatory, a free web security testing utility on GitHub. The tool has been under development for months; it has been approved yesterday and published on the developer community web site for public use.
Mozilla Observatory Is a Useful Tool for Every Web Developer
Observatory has been written in the Python programming language, and its aim is to aid developers, administrators and security experts that want to implement good security measures into their web sites. The utility can grade the target sites and assign a rating (score from A to F) based on the implemented security features.
Right now the tool can scan and report the security grade for the following services:
- Content Security Policy (CSP) Status
- Cookie files using Secure flag
- Cross-Origin Resource Sharing (CORS) status
- HTTP Public Key Pinning (HPKP) status
- HTTP Strict Transport Security (HSTS) status
- Presence of automatic redirection from HTTP to HTTPS
- Subresource Integrity (SRI) status
- X-Content-Type-Options status
- X-Frame-Options (XFO) status
- X-XSS-Protection status
April Knight performed automatic scans using Observatory of over 1.3 million sites and 91% of them fail the tests.
The utility is made of three components – a scanner, command line, and a web interface.
It is available from its GitHub page for immediate download.