GetSimple vs. Mozilla Observatory

[sremick]

GetSimple sites seem to fail the new Mozilla Observatory tests rather dramatically:

https://observatory.mozilla.org/

I'm still on 3.3.10 but I doubt 3.3.11 changes much given its changelog vs. the Observatory results. Thoughts?

[hameau]

Thoughts?

Yes, it's a very buggy test. For my site, it says – correctly – that HSTS is not implemented (I have .htaccess rules that redirect http requests to https) and then says that the site doesn't support https. I score an 'F'.

The fact that it gets fundamental stuff wrong makes me doubt its advice. Typical web junk written by new graduates, if I had to guess. google.com, the headquarters of the self-appointed web security police, only scores a 'D'.

Meanwhile, admittedly for a different suite of tests, ssllabs.com gives me an 'A'.

[shawn_a]

I have no idea what this even means

[shawn_a]

If you want to discuss or recommend default CSPs

https://github.com/GetSimpleCMS/GetSimpleCMS/issues/610

But I think this is something the end user needs to do. As far as enhancing security for backend, we are a little more flexible but still will have problems with plugins needing to register their own exclusions since they might use CDNs and xss policies.