Anna.info website technical test: Difference between revisions

Links

• https://www.ssllabs.com/ssltest/analyze.html?d=anna.info
  • A+ (Certificate 100, Protocal Support 100, Key Exchange 100, Cipher Strength 100)
  • This site works only in browsers with SNI support.
• https://tls.imirhil.fr/https/anna.info
  • A (Protocol 100, Key exchange 100, Cipher 100, Overall 100.0)
• https://securityheaders.io/?followRedirects=on&hide=on&q=anna.info
  • A
• Test by hstspreload.appspot.com https://hstspreload.org/?domain=anna.info
  • Status: anna.info is currently preloaded.
• https://observatory.mozilla.org/analyze.html?host=anna.info
  • A+; Score: 125/100, Tests Passed: 11/11
  • Note: One can get a score higher than 100, e.g.
    • +5 Content Security Policy - if no unsafe-inline is present, anna.info having "Content Security Policy (CSP) implemented with 'unsafe-inline' inside style-src" gets 0 for "Content Security Policy"
    • +5 HTTP Strict Transport Security - if preload is present
• https://www.google.com/webmasters/tools/mobile-friendly/?url=https%3A%2F%2Fanna.info%2F
  • Awesome! This page is mobile-friendly.
• https://developers.google.com/speed/pagespeed/insights/?url=https%3A%2F%2Fanna.info%2F
  • mobile 100 / 100 Speed, 100 / 100 User Experience; desktop 100 / 100 Suggestions Summary

Issues

Content-Security-Policy	default-src 'self'; style-src 'self' 'unsafe-inline'

The "style-src 'unsafe-inline'" prevents getting +5 points. Inline CSS is used

• for getting 100/100 on Goolge speed test, which does not seem to be possible with external CSS
• to to CSS marking in MediaWiki, e.g. cells in tables

Other

• https://www.heise.de/forum/heise-online/News-Kommentare/heise-online-HTTPS-auch-fuer-Mobilgeraete/X-XSS-Protection-X-Content-Type-Options-Content-Security-Policy-nicht-vergessen/posting-29747747/show/