An online scanner that can check if web servers have the best security setting or not was been developed by Mozilla with an intention to help webmasters better protect their websites. April King, a Mozilla security engineer who later expanded the tool to make it available for the whole world which was initially built for in-house use. The tool was called Dubbed Observatory. Mozilla’s Observatory scans for a wide range of web security mechanism unlike the SSL Server Test only checks a website’s TLS implementation. Cookie Security flags, Content Security Policy (CSP), HTTP Strict Transport Security (HSTS), Cross-Origin Resource Sharing (CORS), HTTP Public Key Pinning, HTTP Strict Transport Security (HSTS), subresource integrity, redirections, X-Content-Type-Options, X-Frame-Options, X-XSS-Protection, and much more are included in the Dubbed Observatory.
The tool checks for the correct implementation as well as check for the presence of other technologies. The scan for vulnerabilities in actual website code which is done by many free and commercial tools is the only thing that Mozilla’s tool don’t do. Finding and patching code vulnerabilities is much easier than achieving a secure website configuration and using available technologies developed recently.
King said in a blog post that these technologies range over dozens of standard documents, and while distinct articles may talk about them, there wasn’t one place to go for site machinists to learn what each of the technologies does, how to devise them, and how significant they were.