Suggestions, comments, ideas all welcome on GitHub.
This page was loaded over HTTP.
| Organisation | Google Inc |
| Domains |
www.google.co.uk google.co.uk cdn.google.co.uk |
| Certificate Authority | Google Internet Authority G2 |
| Valid from | |
| Valid to |
| TLS | 1.0, 1.1, 1.2 |
| SSL | 2, 3 |
| Key | RSA 2048 bits |
| Revocation information | Good CRL, OCSP |
| Forward Secrecy | Good With modern browsers |
| Next Protocol Negotiation (NPN) | Good Yes (spdy/3.1 spdy/3 http/1.1) |
| Session resumption (caching) | Notice No (IDs assigned but not accepted) |
| Session resumption (tickets) | Good Yes |
| OCSP stapling | Good Yes - This reduces the time it takes to load your web page. |
This page was loaded over HTTP.
Certificate packet size: 10,047 bytes.
| 1 | Good Sent by server - www.google.co.uk Fingerprint: 611ea0807d5dd347435ec0b084304cdbea65df47 RSA 2048 bits (e 65537) / SHA1withRSA Notice WEAK SIGNATURE |
| 2 | Good Sent by server - Google Internet Authority G2 Fingerprint: bbdce13e9d537a5229915cb123c7aab0a855e798 RSA 2048 bits (e 65537) / SHA1withRSA Notice WEAK SIGNATURE |
| 3 | Notice Extra download (already in trust store) - GeoTrust Global CA Fingerprint: de28f4a4ffe5b92fa3c503d1a349a7f9962a8212 RSA 2048 bits (e 65537) / SHA1withRSA Notice Weak or insecure signature, but no impact on root certificate |
| 1 | Good Sent by server - www.google.co.uk Fingerprint: 611ea0807d5dd347435ec0b084304cdbea65df47 RSA 2048 bits (e 65537) / SHA1withRSA Notice WEAK SIGNATURE |
| 2 | Good Sent by server - Google Internet Authority G2 Fingerprint: bbdce13e9d537a5229915cb123c7aab0a855e798 RSA 2048 bits (e 65537) / SHA1withRSA Notice WEAK SIGNATURE |
| 3 | Notice Not provided (requires extra download) - GeoTrust Global CA Fingerprint: 7359755c6df9a0abc3060bce369564c8ec4542a3 RSA 2048 bits (e 65537) / SHA1withRSA Notice WEAK SIGNATURE |
| 3 | Good In trust store - Equifax / Equifax Secure Certificate Authority Fingerprint: d23209ad23d314232174e40d7f9d62139786633a RSA 1024 bits (e 65537) / SHA1withRSA Notice WEAK KEY IN MOZILLA'S TRUST STORE Notice Weak or insecure signature, but no impact on root certificate |
This page was loaded over HTTP.
Instructs browsers to always use HTTPS connections.
Good HTTP website does a 301 redirect to HTTPS.
Notice HSTS header not sent (see below).
Notice Not included in this browsers preload list (add).
If you want everyone to connect over HTTPS, include the following header:
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
This page was loaded over HTTP.
Identifies and blocks invalid certificates for this domain.
Notice HSTS header not sent (setup).
Notice HPKP header not sent.
If you want to limit the valid certificates for your domain, follow the instructions below.
1) Create a backup key (to be used with a CSR later):
openssl genrsa -out "backup.key" 2048;
2) Store this key in a safe place (not on your server).
3) Extract the base-64 encoded SPKI fingerprint:
openssl rsa -in "backup.key" -outform der -pubout |
openssl dgst -sha256 -binary | base64
4) Include the following header (report only mode):
Public-Key-Pins-Report-Only:
pin-sha256="OtJOVJ9HkPkdvrP3WBYf3CLY8dTaf/dmgsI9T4wT9Dw=";
pin-sha256="***Backup Fingerprint***";
max-age=2592000;
includeSubDomains;
report-uri="http://example.com/hpkp-report";
Note: This example pins your current and backup keys for 30 days. Alternatively you could pin the root or intermediate certificates, which might allow you to re-issue a new certificate, but that assumes that your CA will continue to use the same root/intermediate certificate, even if they have a problem.
This page was loaded over HTTP, so the content can be changed!
| default-src | - 'none' | Good Nice one! this is a good default! |
|---|---|---|
| style-src | - 'self' | Good Can you specify a path? |
| - 'unsafe-inline' | Error Can introduce security issues! | |
| - https://*.googleapis.com | Good Can you specify a path, and remove wildcard? | |
| font-src | - 'self' | Good Can you specify a path? |
| - https://fonts.gstatic.com | Notice Not used on this page? | |
| img-src | - * | Notice Might be a bit permissive? |
| script-src | + 'self' | Good Can you specify /a/js/ as a path? |
| /a/js/jquery-1.11.2.js | ||
| /a/js/navigation.js | ||
| /a/js/main.js | ||
| + https://www.google-analytics.com | Good Can you specify the full url? | |
| https://www.google-analytics.com/analytics.js | ||
| + https://*.googleapis.com | Notice Not used on this page. | |
| N/A | ||
| - 'unsafe-inline' | Error Can introduce security issues! | |
| - 'unsafe-eval' | Error Can introduce security issues! | |
| frame-ancestors | - 'self' | Notice This page isn't in a frame, could it be 'none'? |
| referrer | - no-referrer | Good Nice one! this is a good default! |
| reflected-xss | - block | Good Nice one! this is a good default! |
| base-uri | * | Limits the <base> href values - used for relative URLs. |
|---|---|---|
| child-src | 'none' | Limits nested browsing contexts (incorporating frame-src) |
| connect-src | 'none' | Restricts where connections can be made to (e.g. AJAX requests). |
| form-action | * | Restricts where your forms can send data to. |
| manifest-src | 'none' | Restricts application manifests can be applied. |
| media-src | 'none' | Restricts video, audio, and associated text that can be loaded. |
| object-src | 'none' | Restricts plugins that can be loaded. |
| plugin-types | * | Restricts plugin types (based on mime type), cannot be 'none'. |
| report-uri | URL to send error reports to. | |
| sandbox | Applies restrictions based on <iframe> sandbox attribute. |
This page was loaded over HTTP, so the content can be changed!
ni:///sha-256;C6cv9UyIs9uJeqinPHxthvqh_E1uhG5Twh-Y5qFQmYg?ct=application/javascript
Good https://code.jquery.com/jquery-1.10.2.min.js
ni:///sha-256;asijfiqu4t12eqinPHWTHVqh_E1uhG5Twhakwoeji3W?ct=application/javascript
Good https://www.example.com/script.js
Good https://cdn.example.com/script.js (noncanonical)
ni:///sha-256;asijfiqu4t12eqinPHWTHVqh_E1uhG5Twhakwoeji3W?ct=application/javascript
Good http://www.example.com/script.js
Notice Not advisable, as HTTP requests can be edited on route (e.g. ISP optimisations).
Error Blocked, as HTTPS was used for the main connection (resources must also be encrypted).
Notice No integrity check included.
This page was loaded over HTTP, so the content can be changed!
Good Does appear to be protected using a hidden field:
Notice Does not appear to include an appropriate hidden field:
Notice Does not include any hidden fields.
Detection is based on the assumption that a hidden field must be present where its value cannot be guessed by another website.
While it is technically possible to protect with the referrer header, it is not recommended.
This page was loaded over HTTP, so the content can be changed!
Good X-XSS-Protection: 1; mode=block
Good reflected-xss = block (review)
This only instructs the browser to look for (and try to block) reflected XSS attacks.
Ideally your website would not have any XSS vulnerabilities anyway.
This page was loaded over HTTP, so the content can be changed!
Notice X-Frame-Options: SAMEORIGIN
Notice frame-ancestors = 'self' (review)
As the page isn't loaded in a frame, could it be DENY?
Good Restrictions: 'self' / SAMEORIGIN
Good Sandbox: allow-forms
Notice Restrictions: Not set, would ideally be "SAMEORIGIN"
Notice Sandbox: Not set, would ideally have some restrictions.
Notice Restrictions: Not set, would ideally be "ALLOW-FROM uri"
Notice Sandbox: Not set, would ideally have some restrictions.