GetSimple sites seem to fail the new Mozilla Observatory tests rather dramatically:
https://observatory.mozilla.org/
I'm still on 3.3.10 but I doubt 3.3.11 changes much given its changelog vs. the Observatory results. Thoughts?
(2016-09-01, 02:10:56)sremick Wrote: [ -> ]Thoughts?
Yes, it's a very buggy test. For my site, it says – correctly – that HSTS is not implemented (I have .htaccess rules that redirect http requests to https) and then says that the site doesn't support https. I score an 'F'.
The fact that it gets fundamental stuff wrong makes me doubt its advice. Typical web junk written by new graduates, if I had to guess. google.com, the headquarters of the self-appointed web security police, only scores a 'D'.
Meanwhile, admittedly for a different suite of tests, ssllabs.com gives me an 'A'.
I have no idea what this even means
If you want to discuss or recommend default CSPs
https://github.com/GetSimpleCMS/GetSimpleCMS/issues/610
But I think this is something the end user needs to do. As far as enhancing security for backend, we are a little more flexible but still will have problems with plugins needing to register their own exclusions since they might use CDNs and xss policies.