Analysis of the Alexa Top 1M sites (April 2016)

One of unsung heroes out there when it comes to advancing the overall security of the Internet is Scott Helme. In addition to report-uri.io (a CSP/HPKP violation reporting service), he runs securityheaders.io, a site that helps show you if you're utilizing the many available options when it comes to securing your web site.

It was the latter that inspired the creation of the Mozilla HTTP Observatory, a public service that goes a bit deeper and tells you not just whether you are using these headers, but if you're using them correctly and securely.

Having recently gotten the HTTP Observatory to a usable state, I decided to scan the Alexa Top 1M sites to see how well that engineers and developers on the biggest sites on the Internet are doing. As Scott found out, the results are pretty dismal. I'll be doing more detailed posts on each of these sections as I find the time, but even the basic statistics are depressing.

Content Security Policy (CSP) .005%1 / .012%2
Cookies3 1.88%
Cross-origin Resource Sharing (CORS)4 93.78%
HTTPS 29.64%
HTTP → HTTPS Redirection 5.06%5 / 8.91%6
Public Key Pinning (HPKP) 0.43%
  — HPKP Preloaded7 .414%
Strict Transport Security (HSTS)8 1.75%
  — HSTS Preloaded7 .158%
Subresource Integrity (SRI) 0.015%9
X-Content-Type-Options (XCTO) 6.19%
X-Frame-Options (XFO)10 6.83%
X-XSS-Protection (XXSSP)11 5.03%

Because these tests are a lot more strict than on securityheaders.io, the overall grade distribution is much lower:

Grade HTTP Observatory securityheaders.io
A+ .003% .020%
A .006% .072%
B .202% 2.38%
C .321% .029%
D .999% 3.16%
E .870% 6.10%
F 97.60% 88.20%

And just who are the .003% that managed to land an A+ grade with a score of 100 or greater on the HTTP Observatory?

Notes:

  1. Allows 'unsafe-inline' in neither script-src nor style-src
  2. Allows 'unsafe-inline' in style-src only
  3. Amongst sites that set cookies
  4. Disallows foreign origins from reading the domain's contents within user's context
  5. Redirects from HTTP to HTTPS on the same domain, which allows HSTS to be set
  6. Redirects from HTTP to HTTPS, regardless of the final domain
  7. As listed in the Chromium preload list
  8. max-age set to at least six months
  9. Percentage is of sites that load scripts from a foreign origin
  10. CSP frame-ancestors directive is allowed in lieu of an XFO header
  11. Strong CSP policy forbidding 'unsafe-inline' is allowed in lieu of an XXSSP header

If you're in a hurry and want to start digging into my data before I can, feel free to grab the data dump and have at it.

[Category: Security] [Tags: Alexa, Cookies, CORS, CSP, HPKP, HSTS, Observatory, HTTPS, Redirection, SRI, XCTO, XFO, XXSSP]