Observatory by Mozilla is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.
The full report url has suggestions to repair each of these issues.
$ npm install -g observatory-cli
-
Scan a site for
httpsbest practices.# json! $ observatory some.site.name # include 'zero' scores, display as a tabular report $ observatory some.site.name --zero --format=report # attempt to force a re-scan $ observatory some.site.name --rescan -
Test a site as part of a Continuous Integration pipeline.
Script will FAIL unless the grade is AT LEAST
B+$ observatory some.site.name --min-grade B+...and the score is at least 50.
$ observatory some.site.name --min-grade B+ --min-score 50 -
Show the URL for the web report.
$ observatory some.site.name --format=url -
nagios monitoring plugin mode.
For
--nagios <failcode>,failcodewill be the exit code if the test fails.--min-score,--min-grade,--zero,--skipaftect the test.$ observatory --nagios 2 --min-score 85 -z --skip cookies CRITICAL ["content-security-policy",...,"x-xss-protection"]If neither
--min-scorenor--min-gradeis specified, any negative scores fail the test.# '2' means 'critical.' Exits '2' $ observatory ssllabs.com --nagios 2 CRITICAL ["redirection"]We can
--skipthe failing rule, and affect the score.$ observatory ssllabs.com --nagios 2 --skip redirection observatory [INFO] modfiying score, because of --skip. was: 100, now: 105 OKQuiet output with
-q.$ observatory ssllabs.com --nagios 2 --skip redirection -q OK
$ observatory --help
Usage: index [options] <site>
cli for interacting with Mozilla HTTP Observatory
https://observatory.mozilla.org/
Options:
-h, --help output usage information
-V, --version output the version number
--format [format] format for output. choice: (json|report|csv|url). `json` is default
--min-grade <grade> testing: this grade or better, or exit(1)
--min-score <score> testing: this score or better, or exit(1)
--nagios [failcode] nagios mode, exits with [failcode] on failure
--rescan initiate a rescan instead of showing recent scan results
-z, --zero show test results that don't affect the final score
--attempts <n> number of attempts to try before failing
--api-version [version] api version: defaults to 1
--skip <rule> skip rules by name. works with min-score only
--tls do tls checks instead
-q, --quiet turns off all logging
Formats help:
- json json of the report
- report plain-text tabular format
- csv alias for report
- url url for online version
Nagios Mode (--nagios)
- if `--min-score` and/or `--min-grade`, use those.
- else *any* failing rules fail the check.
- exits with integer `failcode`.
Report, with options:
-zto show '0' rules (all rules)--skipto skip a rule (affecting SCORE, but not GRADE)
$ observatory some.site --format=report -z --skip redirection
observatory [INFO] modfiying score, because of --skip. was: 60, now: 65
HTTP Observatory Report: some.site
Score Description
-20 content-security-policy Content Security Policy (CSP) implemented, but allows 'unsafe-inline' inside script-src
-10 x-xss-protection X-XSS-Protection header not implemented
-5 x-content-type-options X-Content-Type-Options header not implemented
0 contribute Contribute.json implemented with the required contact information
0 cookies No cookies detected
0 cross-origin-resource-sharing Content is not visible via cross-origin resource sharing (CORS) files or headers
0 public-key-pinning HTTP Public Key Pinning (HPKP) header not implemented
0 strict-transport-security HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)
0 subresource-integrity Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
0 x-frame-options X-Frame-Options (XFO) header set to SAMEORIGIN or DENY
Score: 65 (modified due to --skip)
Grade: C+
Full Report Url: https://observatory.mozilla.org/analyze.html?host=some.site
- HTTP Observatory by April King
- Python observatory-cli by April King