 Welcome back everyone. Today we're going to be talking about the Observatory by Mozilla, and the Observatory is basically a way to test the security of your website. And it's not doing any type of vulnerability assessment, but more what the client or client side security would be. So is there secure communication basically between your website or your server and whoever is visiting your site? So again, not necessarily security scanning to find vulnerabilities, but just looking for basic security configurations that we can do to make our users a little bit more secure in the way that they actually access the data on our site. So the first I'll talk about their web interface. And if you go to hdpsobservatory.mozilla.org, you can find this just plain website and you can see you can enter a domain here. So I'm going to go ahead and enter our domain for the university. So global.ac, howlem.ac.kr. And then there's just a few options here. Don't include the site in my public results. So I'm going to uncheck that even though this video is public. It's okay. And then force a rescan instead of returning cash results. If it's been a while since you've scanned your website, you might want to force a rescan instead of using cash results. And then don't scan with third party scanners. If you don't want other tools that they're using to be able to access your site. So I'm just going to select don't include my site in public results for now. And then click scan me. And what this is doing is going through and scanning my web server. And all of basically the web server hosted at on my server and checking for all of the different security configurations that a client would normally see. I'm going to run through a couple of these. So first off, I'm getting a B plus and I'll tell you why, why that is most of the sites that I scan with this get get an F and don't have any of these things set. So I'll talk about a few of them in a second. Let's go down to the test scores. And you can see basically what they're checking for. And they even have more information on each type of criteria that they've set. And basically, most of this is setting your web server to have a particular header, some sort of security header. So for example, X content type options header set to no sniff. So then this will basically go through and try to communicate with your clients in a more secure way. So that way, people can't, for example, sniff traffic or read your cookies. So there's cookies option here. All cookies use the secure flag. All session cookies use HTTP only flag. So basically, this just tells your users, the users of your website, what kind of security does this server support and what do we prefer. And most, most websites, again, like I said that I look at don't have any of these headers enabled at all, which means that their cookies are sent non securely, which means anyone could potentially grab those cookies and replay them and pretend to be somebody else cross oriented origin resource sharing or I get knocked off because of the content security policy. For example, we can use this to say what scripts or where do I allow scripts to run from. So right now, because I'm transferring over I'm using this unsafe inline, I have one script legacy script that I can't move over yet. So I have to use this unsafe inline but I'm working on changing that. So constant content security policies basically say my website can run code from this location and not other locations, which means that if somebody's trying to hack my site, if they want to try to inject their code, they also have to be coming from the same locations that I allow makes it much more difficult to do some sort of code injection from from a different source. Okay. Different types of refer policy. So basically, there's a couple different criteria, I won't talk about all of these this I in the side, it gives you all of the information you need about what these are and also how to fix this on your own server if you haven't already. So this website is really good for giving instructions about how to make your your server or your website more secure for your users. So I highly recommend you test your own website and then look at each of these options and talk about them. And then there's the individual tests, raw server headers. So this is actually the results coming back from my server, what my server is sending to Mozilla in this case. And then if we scroll up, you can also see the TLS observatory and then some other ones. So let's look at TLS. And this is basically what types of TLS or HTTPS certificates are supported and I'm using let's encrypt so free and and works works well for me at least. Okay, so this is actually the web interface to be able to scan a website that you're hosting and see what's wrong and what you can potentially fix relatively easily. All of these protections, it took me about 20 minutes to configure everything. And then, yeah, so the website was was much more secure after that basically. Okay, now, what I'm interested in is all of these headers, or all of these configurations are, let's say relatively standard, their best practice more or less now, or at least they should be so we can assess a website or a group of websites really quickly to see how secure they are. So I wanted to do that from a program rather than putting every website that I own into the Observatory by Mozilla web interface, right? And they are very good because they offer a couple different ways that we can actually access the observatory. And one of them is through this command line utility, this is a GitHub Mozilla HTTP observatory CLI. And then see command line utility, they are using Docker. And they have a Docker image that you can download and run directly from that, or the one that I prefer is the Python option. So I'm going to show you today how to install from Python, which they tell you in the instructions. So all we have to do is open up a command line, I'm running in Linux right now. So if you're in Windows, you have pip installed, it should still work. So we want to run pip install HTTP OBS dash CLI. So pip install HTTP OBS dash CLI. And if I hit enter, it's going to tell me I already have everything installed. This one, I didn't have any issues installing directly from a default install of Ubuntu Linux. If you do have issues, it's probably because, you know, package manager is not up to date or something like that. But I've never had any trouble installing from pip for this. And then whenever you want to run the observatory, you can just type HTTP OBS. And then I sometimes do dash CLI. And then this is the tool that we can run. Now, I typed dash dash help. And this gives us the options for the tool. And you can see here, there's the debug option, there's re scan, just like we saw in the web interface, re scan will re scan the website instead of using a cached version verbose, progress indicator and a little bit more information hidden do not list the scan and the recent scan results remember I checked that in the website. And then zero show test results that don't affect the final score. So this is everything, all of the different tests that they can run. Okay. So then let's do an example of this, where we will scan a website. But we will not show it on the web interface. Right. So I want to scan a website, but still be relatively discreet about it, I guess, I can run HTTP OBS dash CLI dash X, because I don't want to show it on the website. And then global dot halem dot easy dot k r. Okay. So now it's going out. And since we just scanned this, it's already been cached. So it should just get back the cached. Yeah, cached from nine hours ago. Okay. And then the score is the same. So score 80 out of 100. And then the modifiers are basically these refer, refer policy and the content security policy. So now I can see the main things that are affecting my score. And then we could use the, what was the option the dash Z option to see more. Let me just go ahead and run that real quick. Now, the, the Python module. So here's everything that's affecting my score, the Python module or the Python version is using an API from Mozilla. So I am actually connecting back to their server. I'm not running this locally. So just be aware that the Mozilla server is scanning your website. So if you have some sort of firewall or intrusion detection system, you will see scanning coming in. So make sure you don't, don't block it if you actually want to be scanned. If you do want to be scanned. Well, yeah, anyway. Right. So this is basically how we can get really quickly a score for a particular website. Now this is useful for a lot of different things. Depending on the country that you're in scanning for this kind of information might be considered suspicious. But I don't think it would be considered illegal in most countries because you are getting public information. You're just connecting to the website and then looking at the headers that they provide to you. You're not downloading any hidden content or looking, you know, brute forcing directories or anything like that. You're just assessing the content that they are sending back to you intentionally. So I wouldn't consider this any type of hacking. Like I said, it's not some type of an aggressive scan. It's literally just a connection and looking how the conversation works basically. So I use, I've used this actually quite a bit. So I thought I would share it today to see or to show you how you can quickly get at least a basic security assessment on a website. If all of these things have been set, that means that at least the web server administrator is thinking about security. If none of them have been set, you might want to ask why, especially depending on what the what the website is. So an interesting tool, just something I find useful. So I hope you enjoyed it. Thank you very much.