[Libwebsockets] Mozilla security observatory and lws
andy at warmcat.com
Sat Aug 27 12:30:50 CEST 2016
Mozilla have come out with a nice tool to check your web server against
current security best practices.
I just added a patch on master that lets you define arbitary per-vhost
headers to be served along with the files, and the corresponding
support in lwsws conf.
With that patch and the following in the related vhost definitions
"Content-Security-Policy": "script-src 'self'",
"X-XSS-Protection": "1; mode=block",
lws powering lwsws that servers libwebsockets.org gets A+ from the
observatory itself, A from securityheaders.io and A+
Note these features are not directly about server security they're
about best practices in interoperating with clients safely and
 It misses A+ because I don't want to pin my cert at this time.
Likewise hstspreload.appspot.com doesn't give a result because I don't
want to register my cert for preload with Google.
More information about the Libwebsockets