Improved tests for CSP and security.txt on Internet.nl
Improved CSP test
Specific error messages were added to the technical details in the Content-Security-Policy (CSP) test. This makes it clearer to users what is wrong with their CSP policy and enables them to make their policy more secure. Furthermore, the CSP test now also checks for secure settings of the base-uri
and form-action
directives. According to the CSP specification, both directives are not covered by the fallback policy of default-src
and thus it is important to configure them explicitly.
security.txt and TLS test improvements
For the security.txt test Dutch translations were added, the validation library was updated and several bug fixes were made. Furthermore, in the test for TLS version, users can now see all detected TLS versions. So, if detected, also TLS version 1.2 and 1.3 with a 'sufficient' and 'good' security level, respectively, are now displayed in the technical table.
About Internet.nl
The test tool Internet.nl is an initiative of the Dutch Internet Standards Platform which is a collaboration of partners from the Internet community and the Dutch government. The aim of the platform is to jointly increase the use of modern Internet standards to make the Internet more accessible, safer and more reliable for everyone. The software code of Internet.nl is available under an open source license.
Release notes 1.7.0
- Added specific error messages in the technical details for Content-Security-Policy results.
- Added requirements for base-uri and form-action to the Content-Security-Policy test.
- Added translations for security.txt error messages.
- The TLS versions tech table now shows the detected TLS versions instead of only TLS versions with issues.
- Fixed an uncaught exception in the security.txt text which could cause the entire test to fail for some HTTP responses.
- Corrected handling of bogus TLSA records.
- A bare "https:" is no longer allowed in Content-Security-Policy as it matches any HTTPS host.
- Loosened requirement for null MX when a domain has no A or AAAA.
- Fixed an issue where the frame-src test was inconsistent with the documentation.
- Added the version number to the footer.
- Added Sentry support for error reporting.
- Code quality was cleaned up in various places.
- Dependencies were updated.
- New content for extended tests and several other content improvements.
This release has API version 2.3.0:
- The
record_org_domain
was added for DMARC (#489). - The
securitytxt_errors
andsecuritytxt_recommendations
types were changed. They now contain error codes (and possibly context) rather than full sentences. - The
content_security_policy_errors
field was added with error codes for CSP. - An issue was fixed where the
mx_nameservers
field was not included in results (#882).