Connect with us

Hi, what are you looking for?


Network Security

Mozilla Launches Website Security Testing Tool

Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.

Mozilla has released a free tool that allows website developers and administrators to determine if they are using all available security technologies at their full potential.

The tool, named “Observatory,” was developed by Mozilla Information Security Engineer April King in an effort to help the organization test its own domains. Observatory has now been made available to everyone along with its source code.

Observatory performs nearly a dozen tests, including Content Security Policy (CSP), Contribute.json, cookies, cross-origin resource sharing (CORS), HTTP Public Key Pinning (HPKP), HTTP Strict Transport Security (HSTS), redirections, subresource integrity, and X-Content-Type-Options, X-Frame-Options and X-XSS-Protection headers.

“You may not have heard of many of them, and that’s because their documentation is spread across thousands of articles, hundreds of websites, and dozens of specifications,” King explained.

After they run a scan, users are provided a score for each test. This score shows how well each standard is implemented and provides recommendations for improvements. The application also provides an overall score and grades the verified website.

Mozilla has used Observatory to scan more than 1.3 million websites on the Web and found that over 90 percent of them don’t take advantage of all the available security technologies. For instance, only 30 percent of websites use HTTPS and less than 7 percent rely on the other security measures tested by the tool.

“Observatory is currently a very developer-focused tool, and its grading is set very aggressively to promote best practices in web security. So if your site fails Observatory’s tests, don’t panic — just take a look at its recommendations and consider implementing them to make your site more secure,” King said.

Advertisement. Scroll to continue reading.

The Mozilla security engineer also pointed out that the results from Observatory might not be accurate for all sites considering that the security needs of a complex website are different from the ones of a simple site, such as a personal blog.

Similar to other Internet giants, Mozilla has been pushing for a wider adoption of HTTPS. At the beginning of the year, the company informed developers that Firefox Developer Edition would display a warning icon when a website requested passwords over HTTP.

Related: 95% of HTTPS Servers Vulnerable to Trivial Connection Hijacking

Related: Apple Wants All iOS Apps to Use HTTPS by 2017

Related: Pushes Free HTTPS to All Hosted Sites

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...