[Libwebsockets] Mozilla security observatory and lws

Andy Green andy at warmcat.com
Sat Aug 27 12:30:50 CEST 2016


Hi -

Mozilla have come out with a nice tool to check your web server against
current security best practices.

https://observatory.mozilla.org

I just added a patch on master that lets you define arbitary per-vhost
headers to be served along with the files, and the corresponding
support in lwsws conf.

With that patch and the following in the related vhost definitions

                   "headers": [{
                        "Content-Security-Policy": "script-src 'self'",
                        "X-Content-Type-Options": "nosniff",
                        "X-XSS-Protection": "1; mode=block",
                        "X-Frame-Options": "SAMEORIGIN"
                 }]

lws powering lwsws that servers libwebsockets.org gets A+ from the
observatory itself, A[1] from securityheaders.io and A+
from tls.imirhil.fr

https://observatory.mozilla.org/analyze.html?host=libwebsockets.org

Note these features are not directly about server security they're
about best practices in interoperating with clients safely and
robustly.

-Andy

[1] It misses A+ because I don't want to pin my cert at this time.
 Likewise hstspreload.appspot.com doesn't give a result because I don't
want to register my cert for preload with Google.




More information about the Libwebsockets mailing list