Sercurius.net - a handy vulnerability scanner
-
Although trying to get perfect scores can drive you bonkers, maybe useful for any quick wins.
-
Useful site, Marcus!
some example results:-
https://marcusquinn.com/ = Security grade 85%
https://forum.cloudron.io/ = Security grade 83%
my Cloudron dashboard = Security grade 85% -
Thanks!
My site's just a static page (Ulysses > GitLab Pages) for now until I get going with Ghost. I still like the idea of mirroring a static version to my personal GitLab & GitHub Page repos, since theoretically they can live longer than me, or my payment card at least 
-
Investigating:
- It seems the port scanner is very upset about email ports but hey Cloudron is our mail server.
- Complaints about nginx server version being shown. I have long resisted this but I bit the bullet and hid the nginx version from the next release - https://git.cloudron.io/cloudron/box/-/commit/b14b5f141bc6a45fde376fc465831424f5218904
- It complains about port 6000 being open, but it's our git.cloudron.io port. So false positive
- Complaint about X-Frame-Options is also false positive. That option is now obsolete, we use
frame-ancestors nonein CSP - https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L100 - Finally, there is some warning about https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy which it seems is renamed to Permissions-Policy. Haven't heard of this one before.
-
@girish I think all these % numbers are a bit misleading and opinionated - but as you rightly detail it's a case of looking at the appropriateness of each item and reasonability.
It's impossible to know or remember everything but still a nice too for a quick review to see if there's any easy wins, and I suppose the scoring mechanism could be handy marketing for some once a certain level is considered reasonably hardened.
