Created
April 13, 2015 14:43
-
-
Save philcryer/7948608b0bdc5a084dfa to your computer and use it in GitHub Desktop.
Looking at security headers of presidential hopefuls of 2016
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| idea inspired by: https://paulschreiber.com/blog/2015/04/12/presidential-candidate-website-tech-compared/ | |
| scanning and details provided by https://securityheaders.com/test-http-headers.php | |
| hillaryclinton.com Header Analysis | |
| The HTTP headers we saw when we visited hillaryclinton.com... | |
| HTTP/1.1 302 Moved Temporarily | |
| Content-Length: 154 | |
| Content-Type: text/html | |
| Date: Mon, 13 Apr 2015 14:38:18 GMT | |
| Location: https://www.hillaryclinton.com/ | |
| Server: nginx | |
| Connection: keep-alive | |
| HTTP/1.1 200 OK | |
| Date: Mon, 13 Apr 2015 14:38:18 GMT | |
| Server: AmazonS3 | |
| x-amz-id-2: 8Z+Cq96oujjGTtXbE3IkkI+yeoHhDn+wPxLcrMt3387Igyt+TQ5GyYpTECXLTNTU | |
| x-amz-request-id: 582D3F3D411C94C6 | |
| Cache-Control: max-age=86400 | |
| Last-Modified: Mon, 13 Apr 2015 03:15:00 GMT | |
| ETag: "7127d7082fac307b36942ae257bf5448" | |
| Content-Type: text/html | |
| Content-Length: 25795 | |
| Accept-Ranges: bytes | |
| X-Varnish: 750605121 709187975 | |
| Via: 1.1 varnish | |
| Age: 7798 | |
| Summary | |
| Number of Happy Findings: 2 | |
| Number of Not As Happy Findings: 8 | |
| Percentage Happy Findings: 20% | |
| What These Numbers Mean | |
| We detected 2 Happy Findings on hillaryclinton.com. According to the data we have gathered hillaryclinton.com scores worse than approximately 50% of sites out there. The good news is that adding many of our HTTP header recommendations for security take very little time to implement and have a big impact! | |
| X-Frame-Options | |
| Uh oh! X-Frame-Options does not appear to be found in the site's HTTP header, increasing the likelihood of successful clickjacking attacks. | |
| Strict-Transport-Security | |
| Uh oh! Strict-Transport-Security does not appear to be found in the site's HTTP header, so browsers will not try to access your pages over SSL first. | |
| Nosniff | |
| Uh oh! nosniff does not appear to be found in the site's HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. | |
| X-XSS-Protection | |
| Uh oh! We didn't detect any mention of X-XSS-Protection in headers anywhere, so there's likely room to improve if we want to be as secure as possible against cross site scripting. | |
| Promiscuous CORS Support | |
| Good news! Access-Control-Allow-Origin: * wasn't found in the site's HTTP header, so XHR Cross Object Resource Sharing requests are prohibited or should be tuned to hillaryclinton.com's desired settings. | |
| Content Security Policy | |
| Uh oh! We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site's HTTP header, making XSS attacks more likely to succeed. | |
| UTF-8 Character Encoding | |
| Uh oh! utf-8 doesn't appear to be declared in this site's HTTP header, increasing the likelihood that malicious character conversion could happen. Maybe it is declared in the actual HTML on the site's pages. We hope so. | |
| Server Information | |
| Uh oh! Server: was found in this site's HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site! | |
| X-Powered-By | |
| Good news! X-Powered-By was not found in this site's HTTP header, making it harder for attackers to know about potential vulnerabilities that may exist on your site! | |
| Cross Domain Meta Policy | |
| Uh oh! Permitted-Cross-Domain-Policies does not appear to be found in the site's HTTP header, so it's possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files.. | |
| Miscellaneous hillaryclinton.com Details | |
| IP Address: 54.173.233.250 | |
| Geolocation - Country: US | |
| ================ | |
| NOTE: https tedcruz.org redirs to http tedcruz.org - good idea | |
| www.tedcruz.org Header Analysis | |
| The HTTP headers we saw when we visited www.tedcruz.org... | |
| We had difficulty connecting to the host you provided. This may be because... | |
| the host you provided doesn't allow incoming HTTP HEAD requests. If that's the case, I'm afraid securityheaders.com can't help you. You may try manually examining the headers using Live HTTP Headers in Firefox. | |
| there was something bad about what you input to be tested. Confirm that you entered something that makes sense and try again. | |
| ======================= | |
| www.randpaul.com Header Analysis | |
| The HTTP headers we saw when we visited www.randpaul.com... | |
| HTTP/1.1 200 OK | |
| Date: Mon, 13 Apr 2015 14:41:43 GMT | |
| Content-Type: text/html; charset=UTF-8 | |
| Connection: keep-alive | |
| Set-Cookie: __cfduid=d11a822cf9e2aeba86b7675acf458b0ca1428936102; expires=Tue, 12-Apr-16 14:41:42 GMT; path=/; domain=.randpaul.com; HttpOnly | |
| Server: cloudflare-nginx | |
| CF-RAY: 1d67eef32110115f-DFW | |
| Summary | |
| Number of Happy Findings: 3 | |
| Number of Not As Happy Findings: 7 | |
| Percentage Happy Findings: 30% | |
| What These Numbers Mean | |
| We detected 3 Happy Findings on www.randpaul.com. According to the data we have gathered www.randpaul.com scores better than approximately 74% of sites out there. Even though your site could be worse, you probably have not implemented any of our HTTP header recommendations for security. The good news is that many of these fixes take very little time to implement and have a big impact! | |
| X-Frame-Options | |
| Uh oh! X-Frame-Options does not appear to be found in the site's HTTP header, increasing the likelihood of successful clickjacking attacks. | |
| Strict-Transport-Security | |
| Uh oh! Strict-Transport-Security does not appear to be found in the site's HTTP header, so browsers will not try to access your pages over SSL first. | |
| Nosniff | |
| Uh oh! nosniff does not appear to be found in the site's HTTP header, allowing Internet Explorer the opportunity to deliver malicious content via data that it has incorrectly identified to be of a certain MIME type. | |
| X-XSS-Protection | |
| Uh oh! We didn't detect any mention of X-XSS-Protection in headers anywhere, so there's likely room to improve if we want to be as secure as possible against cross site scripting. | |
| Promiscuous CORS Support | |
| Good news! Access-Control-Allow-Origin: * wasn't found in the site's HTTP header, so XHR Cross Object Resource Sharing requests are prohibited or should be tuned to www.randpaul.com's desired settings. | |
| Content Security Policy | |
| Uh oh! We did not detect Content-Security-Policy , x-webkit-csp, or even x-webkit-csp-report-only in the site's HTTP header, making XSS attacks more likely to succeed. | |
| UTF-8 Character Encoding | |
| Good news! utf-8 was found in this site's HTTP header, minimizing the likelihood that malicious character conversion could happen. | |
| Server Information | |
| Uh oh! Server: was found in this site's HTTP header, possibly making it easier for attackers to know about potential vulnerabilities that may exist on your site! | |
| X-Powered-By | |
| Good news! X-Powered-By was not found in this site's HTTP header, making it harder for attackers to know about potential vulnerabilities that may exist on your site! | |
| Cross Domain Meta Policy | |
| Uh oh! Permitted-Cross-Domain-Policies does not appear to be found in the site's HTTP header, so it's possible that cross domain policies can be set by other users on your site and be obeyed by Adobe Flash and pdf files.. | |
| Miscellaneous www.randpaul.com Details | |
| IP Address: 104.20.1.72 | |
| Geolocation - Country: US | |
| ========================================================== | |
| www.marcorubio.com Header Analysis | |
| The HTTP headers we saw when we visited www.marcorubio.com... | |
| We had difficulty connecting to the host you provided. This may be because... | |
| the host you provided doesn't allow incoming HTTP HEAD requests. If that's the case, I'm afraid securityheaders.com can't help you. You may try manually examining the headers using Live HTTP Headers in Firefox. | |
| there was something bad about what you input to be tested. Confirm that you entered something that makes sense and try again. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment