Hardenize and support best security practice available
Hi There,
Website can be improved to use better security features, While is not extremely bad now but it can be configured better:
https://www.hardenize.com/report/torproject.org/1628884454#www_tls
https://cryptcheck.fr/https/www.torproject.org
https://www.hardenize.com/report/torproject.org/1628884454#www_hsts
we see in TLS:
- Still supporting tls 1.0 , 1.1 while it has been deprecated since more than a year.
- Weak ciphers used for tls 1.2
- No HSTS for subdomains
https://securityheaders.com/?q=https%3A%2F%2Fwww.torproject.org%2F&followRedirects=on
https://csp-evaluator.withgoogle.com/?csp=www.torproject.org
https://www.hardenize.com/report/torproject.org/1628884454#www_xxssp
we see in Headers:
- Missing Permissions-Policy
- Content-Security-Policy contains 'unsafe-inline' which is dangerous in the style-src directive.
- Missing object-src , require-trusted-types-for
- Wrong/Missing config: value must be "1; mode=block" not just 1
To see some good websites check these:
danwin1210:
https://www.hardenize.com/report/danwin1210.me/1628389257 https://www.ssllabs.com/ssltest/analyze.html?d=danwin1210.me&s=116.202.17.147&latest https://cryptcheck.fr/https/danwin1210.me https://securityheaders.com/?q=danwin1210.me&followRedirects=on
grapheneos:
https://www.hardenize.com/report/grapheneos.org/1628592032 https://www.ssllabs.com/ssltest/analyze.html?d=grapheneos.org&s=192.99.43.50 https://cryptcheck.fr/https/grapheneos.org https://securityheaders.com/?q=grapheneos.org&followRedirects=on
ThX!