Are your HTTP headers secure?

[bill]

I need to get this implemented on my sites: Content Security Policy (CSP)
Looks like a great way to thwart cross-site scripting attcks.

This guy has a scanner https://securityheaders.io/ that grades your headers just like SSL Labs does for certs. He also has a CSP policy builder https://report-uri.io/home/generate/ but there are a lot of options in there that I'd need to look into.

Anyone here use a CSP?

[ergophobe]

Sorry, but no.

Interesting though. I am not a server admin, but still... I don't know about any of that stuff.

It appears I'm not alone. Most sites I checked get an F on that scanner.

Google gets an E

Even security-related sites fared poorly

OWASP - D

Norton - B (no CSP)

Kaspersky - D

Trend Micro - F

[bill]

I was actually surprised at how few sites had implemented a CSP. It looks easy enough to do for simple sites. Some of the rules could get complicated if your site is pulling in content from a lot of different sources.

[ergophobe]

I need to put this on my list.

Most of this (all the headers the scanner checks for) look reasonable enough on a simple site.

[Rupert]

https://www.hsbc.co.uk/1/2/  F

Meanwhile, partially related:
http://www.telegraph.co.uk/finance/personalfinance/bank-accounts/12129786/HSBC-online-banking-fails-again-after-succumbing-to-cyber-attack.html

The website was hit by a denial of service attack, caused by a deliberate overload of traffic to the online system by cyber attackers.

[bill]

A CSP certainly wouldn't hamper a DoS or DDoS in any way. Those are an entirely different animal to deal with. The problem with a DoS is usually that the media picks up on it and unnecessarily freaks everyone out...but that's usually the purpose of such an attack.