Sercurius.net - a handy vulnerability scanner

marcusquinn

https://sercurius.net

Although trying to get perfect scores can drive you bonkers, maybe useful for any quick wins.

A Former User

Useful site, Marcus!

some example results:-
https://marcusquinn.com/ = Security grade 85%
https://forum.cloudron.io/ = Security grade 83%
my Cloudron dashboard = Security grade 85%

marcusquinn

Thanks! My site's just a static page (Ulysses > GitLab Pages) for now until I get going with Ghost. I still like the idea of mirroring a static version to my personal GitLab & GitHub Page repos, since theoretically they can live longer than me, or my payment card at least

girish

Ah, nice link. Thanks @marcuswquinn .

For our Cloudron dashboard, we got out 79%

girish

Investigating:

• It seems the port scanner is very upset about email ports but hey Cloudron is our mail server.
• Complaints about nginx server version being shown. I have long resisted this but I bit the bullet and hid the nginx version from the next release - https://git.cloudron.io/cloudron/box/-/commit/b14b5f141bc6a45fde376fc465831424f5218904
• It complains about port 6000 being open, but it's our git.cloudron.io port. So false positive
• Complaint about X-Frame-Options is also false positive. That option is now obsolete, we use frame-ancestors none in CSP - https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L100
• Finally, there is some warning about https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy which it seems is renamed to Permissions-Policy. Haven't heard of this one before.

marcusquinn

@girish I think all these % numbers are a bit misleading and opinionated - but as you rightly detail it's a case of looking at the appropriateness of each item and reasonability.

It's impossible to know or remember everything but still a nice too for a quick review to see if there's any easy wins, and I suppose the scoring mechanism could be handy marketing for some once a certain level is considered reasonably hardened.