Перейти к файлу

Gregg Lind a972da68e5 Fix #20 , shebang should now work		2016-10-10 10:50:12 -05:00
.eslintrc.yml	Add ESLint curly rule and tweak indent rule for switch case	2016-09-28 14:55:35 -07:00
.gitignore	Tweak ESLint rules and autofix errors	2016-09-28 14:24:29 -07:00
README.md	Fix #10 only negative scores fail --nagios. 0.6.0	2016-09-23 12:54:47 -05:00
index.js	Fix #20 , shebang should now work	2016-10-10 10:50:12 -05:00
package.json	version bump after eslint fixes	2016-10-10 10:49:18 -05:00
report.png	fix #15 , truncate long descriptions. Update screen shot	2016-09-27 13:47:53 -05:00

README.md

Observatory by Mozilla CLI Client

Score your site on its HTTPS practices

Observatory by Mozilla is a project designed to help developers, system administrators, and security professionals configure their sites safely and securely.

See Observatory in Action!

Example site report, with additional options

The full report url has suggestions to repair each of these issues.

Install

$ npm install -g observatory-cli

Usage

Scan a site for https best practices.

# json!
$ observatory some.site.name

# include 'zero' scores, display as a tabular report
$ observatory some.site.name --zero --format=report

# attempt to force a re-scan
$ observatory some.site.name --rescan

Test a site as part of a Continuous Integration pipeline.

Script will FAIL unless the grade is AT LEAST B+
```
$ observatory some.site.name --min-grade B+
```
...and the score is at least 50.
```
$ observatory some.site.name --min-grade B+ --min-score 50
```

Show the URL for the web report.

$ observatory some.site.name --format=url

nagios monitoring plugin mode.

For --nagios <failcode>, failcode will be the exit code if the test fails.

--min-score, --min-grade, --zero, --skip aftect the test.

$ observatory  --nagios 2 --min-score 85 -z --skip cookies
CRITICAL ["content-security-policy",...,"x-xss-protection"]

If neither --min-score nor --min-grade is specified, any negative scores fail the test.

# '2' means 'critical.'  Exits '2'

$ observatory ssllabs.com --nagios 2
CRITICAL ["redirection"]

We can --skip the failing rule, and affect the score.

$ observatory ssllabs.com --nagios     2 --skip redirection
observatory [INFO] modfiying score, because of --skip.  was: 100, now: 105
OK

Quiet output with -q.

$ observatory ssllabs.com --nagios     2 --skip redirection -q
OK

Help

$ observatory --help

  Usage: index [options] <site>

  cli for interacting with Mozilla HTTP Observatory

  https://observatory.mozilla.org/

  Options:

    -h, --help               output usage information
    -V, --version            output the version number
    --format [format]        format for output.  choice:  (json|report|csv|url).  `json` is default
    --min-grade <grade>      testing: this grade or better, or exit(1)
    --min-score <score>      testing: this score or better, or exit(1)
    --nagios [failcode]      nagios mode, exits with [failcode] on failure
    --rescan                 initiate a rescan instead of showing recent scan results
    -z, --zero               show test results that don't affect the final score
    --attempts <n>           number of attempts to try before failing
    --api-version [version]  api version:  defaults to 1
    --skip <rule>            skip rules by name.  works with min-score only
    --tls                    do tls checks instead
    -q, --quiet              turns off all logging


Formats help:
    - json    json of the report
    - report  plain-text tabular format
    - csv     alias for report
    - url     url for online version


Nagios Mode (--nagios)
  - if `--min-score` and/or `--min-grade`, use those.
  - else *any* failing rules fail the check.
  - exits with integer `failcode`.

Example Report, Text Version

Report, with options:

-z to show '0' rules (all rules)
--skip to skip a rule (affecting SCORE, but not GRADE)

$ observatory some.site --format=report -z --skip redirection

observatory [INFO] modfiying score, because of --skip.  was: 60, now: 65

HTTP Observatory Report: some.site

Score Description

  -20 content-security-policy        Content Security Policy (CSP) implemented, but allows 'unsafe-inline' inside script-src
  -10 x-xss-protection               X-XSS-Protection header not implemented
   -5 x-content-type-options         X-Content-Type-Options header not implemented
    0 contribute                     Contribute.json implemented with the required contact information
    0 cookies                        No cookies detected
    0 cross-origin-resource-sharing  Content is not visible via cross-origin resource sharing (CORS) files or headers
    0 public-key-pinning             HTTP Public Key Pinning (HPKP) header not implemented
    0 strict-transport-security      HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000)
    0 subresource-integrity          Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin
    0 x-frame-options                X-Frame-Options (XFO) header set to SAMEORIGIN or DENY

Score: 65 (modified due to --skip)
Grade: C+

Full Report Url: https://observatory.mozilla.org/analyze.html?host=some.site

HTTP Observatory by April King
Python observatory-cli by April King