[Owasp-board] Fwd: OWASP General Question from Community

Jim Manico jim.manico at owasp.org
Sat Sep 14 11:46:01 UTC 2013


Wonderful news about our HTTP headers at OWASP.org!

--
Jim Manico
@Manicode
(808) 652-3805

Begin forwarded message:

*From:* Caleb Queern <cqueern at gmail.com>
*Date:* September 13, 2013, 11:28:15 PM EDT
*To:* Matt Tesauro <matt.tesauro at owasp.org>, Jim Manico <
jim.manico at owasp.org>
*Subject:* *Re: OWASP General Question from Community*

This is great! Thank you!

Not sure if you guys have ever been to a little project I put together
called securityheaders.com.  Essentially I collect headers from Alexa Top
~100k sites and see which of the security-focused HTTP headers are present.
  When I get to the end of the list I iterate over it again to see what
changes might've taken place since the last time I visited. I'd like the
site to help spread awareness of these headers. If I had more time I'd add
some more "pow!" to the site but it's a good start.

Here's owasp.org's score after the updates tonight:

https://securityheaders.com/2013/09/13/owasporg.php

For some context, having 6 "happy findings" as owasp.org now does puts the
site in the 99th percentile of those I've scanned.

Here is a breakdown of the tally of ~175k different fetches that've been
made with a histogram showing how poor most sites out there do:

https://securityheaders.com/stats.php

(I think you could add HTTP Strict Transport Security without problems and
be in very, very rarified company but you guys know the site better than I
do ;)

Thanks again for the update! It shows that OWASP walks the walk! :)

Caleb
571-228-8011

On Fri, Sep 13, 2013 at 8:01 PM, Matt Tesauro <matt.tesauro at owasp.org>wrote:

> Jim & Caleb,
>
> Done.
>
> Date: Fri, 13 Sep 2013 13:23:06 GMT
> Server: Apache
> X-Frame-Options: Deny
> X-XSS-Protection: 1; mode=block
> X-Content-Type-Options: nosniff
> Content-language: en
> ...
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>
> On Thu, Sep 12, 2013 at 1:55 PM, Jim Manico <jim.manico at owasp.org> wrote:
>
>> Caleb,
>>
>> I'm CC'ing in our IT director Matt Tesauro. I am sure he can answer
>> better than I. :)
>>
>> Aloha
>> Jim
>>
>> > Hi Jim!
>> >
>> > How's it going? It's Caleb (@httpsecheaders on twitter), here to ask you
>> > about the headers on owasp.org again.
>> >
>> > Any chance owasp.org will offer x-frame-options or HSTS anytime soon? I
>> > checked today and it still looks like there's been no movement. :)
>> >
>> >
>> >
>> > On Fri, Nov 30, 2012 at 10:03 AM, Jim Manico <jim.manico at owasp.org>
>> wrote:
>> >
>> >> Yes it should, we are hiring a IT Director and MediaWiki developer
>> right
>> >> now...
>> >>
>> >> Good eye, thank you!
>> >>
>> >> --
>> >> Jim Manico
>> >> (808) 652-3805
>> >>
>> >> On Nov 30, 2012, at 8:37 AM, Samantha Groves <
>> samantha.groves at owasp.org>
>> >> wrote:
>> >>
>> >> Hello Jim,
>> >>
>> >> I was wondering if you could help me with a recent query that was sent
>> to
>> >> us from Mr. Caleb Queern, cced into this message.
>> >>
>> >> His query is below:
>> >>
>> >> ---------
>> >>
>> >> Hello OWASP, I am beginning to learn about web application security, so
>> >> please forgive me if I am wrong about this, but shouldn't the OWASP
>> >> website's HTTP headers contain a X-Frame-Options declaration? I see
>> that
>> >> nosniff is in there but I do not see an X-Frame-Options value.
>> >>
>> >> ---------
>> >>
>> >> Thank you for your help, Jim.
>> >>
>> >>
>> >> --
>> >>
>> >> *Samantha Groves, MBA*****
>> >>
>> >> *OWASP Project Manager*
>> >>
>> >> *
>> >> *
>> >>
>> >> The OWASP Foundation
>> >>
>> >> London, United Kingdom
>> >>
>> >> Email: samantha.groves at owasp.org
>> >>
>> >> Skype: samanthahz
>> >>
>> >>
>> >> Book a Meeting with Me <http://goo.gl/mZXdZ>
>> >>
>> >> OWASP Contact US Form <http://owasp4.owasp.org/contactus.html>
>> >>
>> >> New Project Application Form<
>> https://docs.google.com/a/owasp.org/spreadsheet/viewform?formkey=dHZfWGhHZ0Z4UFFwZU42djBXcVVLSlE6MQ#gid=0
>> >
>> >>
>> >>
>> >>
>> >>
>> >>
>> >
>> >
>>
>>
>


-- 
Caleb
571-228-8011
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-board/attachments/20130914/84e8071d/attachment-0001.html>


More information about the Owasp-board mailing list