One of my online colleagues, Gary Longsine, on LinkedIn has been on a bit of a mission to get people to fix their allowed headers on their webservices. These are headers that tell your browser (and to a lesser extent) your web server what your browser is allowed to access and what it's not allowed to access.
When he first showed me the site that runs your score, I was… skeptical. Setting aside the security headers that actually tell my server to reject things, things like
Header always set Content-Security-Policy "script-src self"
This tells the browser not to run a script that isn't on the same server… so if I try to run a script from google.com from michaelbissell.com the browser should stop it.
The idea that I put headers in to tell the browser what not to do doesn't seem high on the list of things I need to worry about with hackers. After all, hackers aren't exactly known for following the rules, and if I say, "now be sure you don't hack all my data" I should expect my data to be stolen, deleted and vandalized within seconds.
Except… this kind of security isn't to keep the brute force, black-hat hacker from being able to do things on their own… these policies are designed to help keep the consumer from doing something irresponsibly, usually because they don't know they're being irresponsible.
Modern website rely a lot on the web browser, and the web browser is almost an operating system of its own at this point. We can get lots of great helper plugins that give us a richer experience on the web.
For example, when I was putting together my podcast, I wanted to see what my podcast would look like in a basic RSS reader -- if you don't know what an RSS reader is, don't worry, the point is when I went to install one as a plug-in I got a very casual, and to my eye, very chilling warning:
Read that little warning again…
It can: Read and change all your data on all websites.
Read and change my data on all websites… all websites… you know… like my banking site. Or if I'm a private network that requires VPN to get to…
Data. On. All. Websites.
Oh it can display notifications too. That warning is given the same level of caution as the fact that this script can now change data on any site I'm on, and, therefore, inject all sorts of scripts, while also reading the otherwise private data in that window… things like access tokens and probably passwords if your site makes you type them in.
And this is why the seemingly "honor system" headers are so important. The browser, (Chrome, Firefox, Safari… probably Edge) WILL honor those headers, regardless of what a plugin might have done to the page.
Again, it's not that someone is hacking my server directly, it's that they, like vampires, were invited into the browser. What the Content Security Policies do is keep those people who don't even know they've been hacked from hacking my server.