Security practices - IPv6 / DNSSEC / HTTPS / HSTS
We've done a project for a dutch govermental organisation on another platform recently. A lot of effort went into getting the security rating of the platform suffienctly high to pass their IT requirement.
Because of this we also started looking at how Xano scores on their metrics. Xano in a default configuration starts at a 49 out of a 100. Absolutely not the worst score out their because some of their test should not be applied to a solo backend.
A few things from the test that we would really like to resolve if possible:
- Webserver not reachable by IPv6
- DNSSEC
- We'll be running xano on a custom domain so this wil partially be our doing.
- On CNAME redirect they do also checn DNSSEC for the CNAME domain.
Some further comments
- HTTPS redirect
- This insufficient test result seems invalid since you redirect using the 307 HTTP CODE.
- We'll contact the test creator about this.
- Security options
- These mainly have to do with front-end applications so not having these available shouldn't be an issue.
- A security.txt option would be a nice nerdy addition. ;)
Direct access to the test results with additional information:
https://en.internet.nl/site/xn1p-iyvo-dsj3.f2.xano.io/2396811/
Love to hear your thoughts on this,
Bas van Ginkel
Answers
-
Hi @Bas van Ginkel,
The biggest issues appears to be that this scanning site, doesn't recognize chained redirects.
http://xn1p-iyvo-dsj3.f2.xano.io goes to http://xn1p-iyvo-dsj3.f2.xano.io/admin/ which then goes to https://xn1p-iyvo-dsj3.f2.xano.io/admin/
Probably easier if we just change this to skip the middle step.
Happy to talk through any of your issues through support as a public forum is probably not the place to discuss your score.
-
Hi Sean,
didn't pickup on the fact that it first redirect to http://…../admin. That will indeed break this stupid test.Would love to discuss further with you about the other test results but I think adressing the reachability of the system via IPv6 and DNSSEC is something everybody can profit from.
With kind regard,
Bas van Ginkel
Categories
- All Categories
- 53 ? Announcements
- 47 ? Releases
- 37 ? Welcome
- 983 ? Help! I'm a Noob
- 125 ? No-Code Front-Ends
- 633 ? Working with APIs
- 439 ? Transforming data
- 126 ? Connect Xano to ...
- 50 ?? Find an Expert
- 348 ❓Other questions
- 35 ? Security
- 22 ✂️ Snippets
- 19 ? Showcase
- 7 ?️ Xano Chatter
- 62 ? Video Tutorials
- 171 ? Request a feature
- 229 ? Report a Bug
- 19 ? Templates & Extensions
- 7 ? Feedback