The two most common website security vulnerabilities we see all the time
It’s a rare occurrence when we see a website have their security headers set with no JavaScript library vulnerabilities.
Since we’ve been beta-testing our website auditor, we’ve reviewed enough sites to have a good handle on the common security vulnerabilities that plagues the web. There are two main topical issues that are almost a certainty for new audits, even though they’re easy fixes.
Very rarely do site administrators properly configure, or configure at all, their HTTP security headers. These are instructions sent by the website to the visitor’s browser telling it what it can and can’t do by enforcing restrictions, making connections tighter and secure, thereby narrowing the attack surface.
Security headers are very easy to configure and low hanging fruit for improving security posture. The Open Web Application Security Project sets guidelines for best security practice that every website should adopt, including security headers policy.
Neglecting something as basic and minimal as security headers sends a message to both web visitor and cybercriminal. This bad practice tells the visitor that the website cares very little about their privacy and data protection, and cues criminals that common exploits are plentiful.
