Mozilla developed a tool to help developers, system administrators, and security professionals how to configure their sites safely and securely. Pixls.us gets only an F where gimp.org gets an A+.
GIMP got an A+ because schumaml and myself did a ton of work to make it A+…
I keep meaning to address CSP and HSTS for pixls.us to get the score up from there, but there’s some nasty limitations that come with it that will require some refactoring to make it work (no in-line scripts, no cross-domain requests/assets, and many others).
Hmm. It says that gimp-forum.net doesn’t reroute HTTP to HTTPS, Yet, it does, as far as I can tell?
Also, no point about being too secure. At work, I can’t reach GitHub because my customer’s proxy replaces the SSL certificate, and Github strict policy forbids Firefox to make an exception. So, I can’t access Gihub. Of course, I can import a certificate for the proxy(*), but then it means completely trusting that proxy for all the sites which IMHO is less safe than trusting the established authorities.
(*) Not really needed, since FF has a config setting that says “look for corporate certificates in the Windows registry” but the result is the same.