Making sure websites are secure is important. Certainly, there is no one who wants their websites to suffer any potential vulnerabilities or breach from outsiders. But, how do you tell if your website is secured or not? 

Fortunately, there are several online tools that will be able to help you overcome that problem. In this article, we are covering Mozilla Observatory, the most detailed website security checker on the internet. 

Getting Started

Observatory is a website security tool by Mozilla. It grades the risk level of any given site in an attempt to find out the security vulnerabilities. By scanning websites using Observatory, the developers, system administrators, and security professionals can configure their websites safely and securely. Indeed, it has scanned over 240.000 websites 

Give the Observatory any URL to get started, and its HTTP/S scanning tool will give a grade based on how vulnerable your website is. The grade uses a scoring system out of 100 points. The scanning will identify every security flaw including Content Security Policy, Subresource Integrity not implemented, and many more. 

You can try testing your website on Mozilla Observatory homepage directly as it is available online. Besides, it’s a 100% free tool. Feel free to test your websites to find out any vulnerabilities in security. 

What are the features of Observatory?

Observatory provides security test results up into four sections:

• HTTP Observatory
• TLS Observatory
• SSH Observatory
• Third-party Tests 

What does Observatory do?

Observatory tests a website’s security vulnerabilities for preventative measures. It provides HTTP/S scans online on its homepage. Using it, you can avoid security holes such as cross-site scripting attacks, man-in-the-middle attacks, cross-domain information leakage, cookie compromise, content delivery network compromise, and improperly issued certificates only by typing in your website address in Mozilla Observatory. 

However, Observatory is not a whole package of security tests. It is because Observatory does not test for outdated software versions, SQL injection vulnerabilities, vulnerable content management system plugins, improper password creation policies or stored procedures, and more. Therefore, it has integrations with other security test websites to provide you with the best security test. 

After scanning your website, Observatory will provide a detailed explanation of each result. Not only that, but you will also get detailed information explaining the issue and where to approach the problem by clicking on the header. 

Third-party Integration 

In addition to the HTTP/S scans, Observatory has integrations with other well-known sites to provide scans for TLS/ SSL scanner, HTTP header analyzer, and HSTS preload list. 

• ssllabs.com – TSL/ SSL scanner by Qualys
• htbridge.com – TSL/ SSL scanner by High-Tech Bridge
• tls.imirhil.fr – TSL/ SSL scanner by @aeris22
• securityheader.com – HTTP Header analyzer by Scott Helme
• hstspreload.org – HSTS Preload list by Nick Harper 

Scoring System

All websites start with a baseline of 100 points. Then, any vulnerabilities found will reduce the points until it shows the correct score of your website security. In addition, the score is graded from A+ to F. 

As for the score range, the minimum score is always 0, regardless of how badly a site does, but there is no maximum score. However, the current highest score is 135 out of 100. 

Find out more about the scoring system here.

For technical details, please see grade.py, and to see a list of the most recent “perfect” scoring websites, you can use the getRecentScans API.

How does Observatory check a website’s security score?

It runs several security tests on your website to get a vulnerability score out of it, including Content Security Policy, Cookies, Cross-origin Resource Sharing, HTTP Public Key Pinning, Redirection, Referrer-Policy, Subresource Integrity, X-Content-Type Options, X-Frame Options, X-XSS-Protection. Each section will be scored and given the vulnerabilities details including how to overcome them. 

HTTP Public Key Pinning

This test is targeted specifically towards large or sensitive websites and implementing it is considered optional. It checks the invalid header, such as one that doesn’t contain a sufficient number of pins. Sites that do HPKP will increase the security score. 

Redirection 

This test is checking whether your web server is making its initial redirection from HTTP to HTTPS and on the same hostname before doing any further redirections. This allows the HTTP Strict Transport Security (HSTS) header to be applied properly. 

X-Frame Options

It checks the Content Security Policy. As long as your website uses frame-ancestors directive you will pass the X-Frame-Options test. 

X-XSS-Protection

This test particularly checks the CSP policy that blocks the execution of inline JavaScript. Sites with strong CSP policies that block inline JavaScript are therefore automatically opted out of the X-XSS-Protection test. 

Why should I use Observatory?

• Easily check your website security

Testing website security is so easy using Observatory. Just type in your website link to the search bar and click enter. Observatory will give you detailed results about your security holes within a few minutes. 

• Gives you the details about vulnerabilities and their solutions

Not only testing the security holes in your website, but Observatory also identifies the detailed vulnerabilities found and provides you the solutions to fix them. 

• 100% free

What’s so good about Mozilla Observatory? Yes, you can run tests many times for free! 

• Integrated with other site tests

As Observatory mainly offers HTTP/S scanning, it has integrations with other well-known website security tests to provide you with a variety of security tests including SSL/TLS scanner, HTTP header analyzer, and HSTS preload list. 

How to use Observatory?

Observatory API Documentation

Pros

• Free
• Safe to use
• Give detailed results about vulnerabilities and their solutions
• Has integrations with other web security test 

Cons

• Interpreting the results can be a little difficult for the casual user 

What is the alternative to Observatory?

There are several Mozilla Observatory alternatives that you can use to test website security, for instance: Qualys, Immuniweb, CypherCraft, CryptoLyzer, and CSP Evaluator. 

• Qualys SSL Server Test – free online service performs a deep analysis of the configuration of any SSL web server.
• SSL/ TLS Test by Immuniweb – Free SSL/ TLS website security test.
• CypherCraft – Free Cryptographic protocol parser and analyzer.
• CryptoLyzer – Free and flexible server cryptographic (TLS/SSL) settings analyzer library for Python 2.7/3.4+ with CLI.
• CSP Evaluator – Free tool to review a website’s content, security, policy settings, suggesting improvements to protection, and possible bypasses to the police.

Conclusion

Observatory by Mozilla is a free, fast, and 100% free website scanning service that you can use to highlight potential security problems of your webserver. It is the most detailed website security check. You will not only get the vulnerabilities result, but you also get the solutions on how to fix them. Observatory runs several tests including HTTP, TLS, SSH, and has third-party integrations to provide more in-depth tests. 

Reference

• Observatory Official Website
• Configuring secure websites with Mozilla Observatory – We are Diagram
• Do you have A or F website security? Find out with Mozilla Observatory – Fractionalciso
• Mozilla Observatory Alternative – Alternativeto
• Best Website Security Check Tools – Code in WP