Audisto Security Checker

How to detect security related issues on your website

The security hints offer insights in a site’s security issues. Keeping an eye on this may prevent problems with privacy and the site’s appearance in browsers. Solving security related issues can help to build trust and lead to higher user interaction.

With this hints section you can identify security issues.

Example: Audisto Security Check with the security hint reports for the current crawl

Example: Audisto Security Check with the security hint reports for the current crawl

Here is the list of all specific hints related to website security, that can be identified with the help of the Audisto Crawler.

Table Of Content

Hints

<a> link contains user and password

Description

An anchor's href contains user and password, like http://user:password@example.com. This may not wanted, and is also not supported by Internet Explorer as of version 10.

Example
http://user:password@example.com
Importance

This hint points out a serious security issue. Logindata should usually not be linked to directly on a website. The login data may be crawled with malicious intend and abused later on.

Operating Instruction

If instances of this hint are discovered, we suggest removing all links from your website, that contain logindata.

<a> link uses data: protocol

Description

An anchor's href uses the data: protocol. Detect all documents on the crawled website, that contain links using the data: protocol.

Example
<a href="data:image/png;base64,(...base64-encoded png data...)"></a>
Importance

The data: protocol can be used to provide inline data elements, e.g. images, fonts, JavaScripts and other files, without requiring an additional request. It is not fully supported by Internet Explorer. This might cause issues with accessibility and user experience.

Operating Instruction

Evaluate all cases in which a link uses the data: protocol on the crawled website and decide wether it has to be replaced or not.

<a> link uses file: protocol

Description

An anchor's href uses the file: protocol, which is used to open files on the users computer.

Example
<a href="file://C:/programs/filename.html">link</a>
Importance

The file: protocol is used to reference local files. If used on a public website, it might lead to unexpected issues with user experience.

Operating Instruction

We suggest removing all references with the file: protocol on your website.

<form> POST to HTTPS from HTTP

Description

The form posts to a HTTPS URL, but resides on a HTTP URL. Use this report to identify all URLs within the website, which contain forms, that are submitting data from a HTTP resource to a HTTPS resource, using the POST method.

Examples

What happens?

http://example.com/form.html posts to https://example.com/form_submit.php

Example form markup

<form action="https://example.com/form_submit.php" method="POST">
...
</form>
Importance

If a form action is defined to use the HTTPS protocol, this indicates, that the entered data should be transfered using a secured channel. However, while the data would be sent encrypted, it is still a security issue. If the form data is sent from a URL that is not secured with SSL, then the form itself might be compromised by a man in the middle attack before the data gets posted.

Operating Instruction

You should deliver all forms encrypted, i.e. use HTTPS.

<form> Unsafe GET to HTTP from HTTPS

Description

The form submits itself to a HTTP URL, but resides on a HTTPS URL. The form is using the GET method. Use this report to identify all URLs on the crawled website, which contain forms that use the GET method to submit from HTTPS to HTTP.

Example

Form included in https://example.com/

<form action="http://example.com/form-submit.php" method="GET">
...
</form>
Importance

In this situation, the data is tranfered over an unsecured connection to the form action URL and the response will also be sent unsecured. Due to using the GET method, the form input data will be part of the URL and openly visible to anyone able to access the URL. More than that, the GET method is cacheable, which allows the data to be cached on third party systems. This can be a severe security issue.

Operating Instruction

If you want to transfer your form input data safely, you may consider also delivering the form's target URL over HTTPS and switch from the GET method to the POST method.

<form> Unsafe POST to HTTP from HTTPS

Description

The form submits itself to a HTTP URL, but resides on a HTTPS URL. The form is using the POST method. Use this report to identify all URLs on the crawled website, which contain forms that use the POST method to submit from HTTPS to HTTP.

Example

Form included in https://example.com/

<form action="http://example.com/form-submit.php" method="POST">
...
</form>
Importance

In this situation, the data is tranfered over an unsecured connection to the form action URL and the response will also be sent unsecured. This can be a severe security issue.

Operating Instruction

If you want to transfer your form input data safely, you may consider delivering the form's target URL over HTTPS, too.

Content-Security-Policy HTTP Header missing

Cookies set without secure flag

Safe HTTPS URL loads unsafe resource

Description

If a HTTPS URL contains an unsafe resource, that is loaded using HTTP, it is flagged with this hint.

Example

Exampe code for https://www.example.com/

<script type="text/javascript" src="http://www.example.com/file.js"></script>
Importance

All files, that get loaded while opening a document over HTTPS, e.g. images, fonts, stylesheets, JavaScripts, should be requested over the HTTPS protocol as well. If elements are loaded using an unsafe HTTP connection, these might get compromised by a man in the middle attack while being loaded. This can compromise the security of the SSL secured request.

If this happens, the increased risk will be reflected in the SSL symbol in all modern browsers. Instead of displaying a green SSL lock, it would be yellow, orange or red to highlight loading of unsafe resources.

Operating Instruction

In documents only available over HTTPS, you should only include files loaded via the HTTPS protocol.

Strict-Transport-Security HTTP Header has short duration

Strict-Transport-Security HTTP Header is invalid

Strict-Transport-Security HTTP Header missing

Strict-Transport-Security HTTP Header send more than once