Sercurius.net - a handy vulnerability scanner
Thanks! My site's just a static page (Ulysses > GitLab Pages) for now until I get going with Ghost. I still like the idea of mirroring a static version to my personal GitLab & GitHub Page repos, since theoretically they can live longer than me, or my payment card at least
- It seems the port scanner is very upset about email ports but hey Cloudron is our mail server.
- Complaints about nginx server version being shown. I have long resisted this but I bit the bullet and hid the nginx version from the next release - https://git.cloudron.io/cloudron/box/-/commit/b14b5f141bc6a45fde376fc465831424f5218904
- It complains about port 6000 being open, but it's our git.cloudron.io port. So false positive
- Complaint about X-Frame-Options is also false positive. That option is now obsolete, we use
frame-ancestors nonein CSP - https://git.cloudron.io/cloudron/box/-/blob/master/src/nginxconfig.ejs#L100
- Finally, there is some warning about https://developer.mozilla.org/en-US/docs/Web/HTTP/Feature_Policy which it seems is renamed to Permissions-Policy. Haven't heard of this one before.
@girish I think all these % numbers are a bit misleading and opinionated - but as you rightly detail it's a case of looking at the appropriateness of each item and reasonability.
It's impossible to know or remember everything but still a nice too for a quick review to see if there's any easy wins, and I suppose the scoring mechanism could be handy marketing for some once a certain level is considered reasonably hardened.