If you just want to know whether your website lacks some basic security features and best practices, you don't need an external security audit. There are some easy-to-use solutions that are absolutely free and let you focus on other aspects of your security posture. The following two services don't cost a dime but deliver excellent results.
To find a good balance between convenience and security, web browser developers ship some of their security features disabled by default. We have taken a quick look at them in our previous blog post about HTTP security headers.
Given the fact that new features and headers are added and removed regularly, it also makes sense to occasionally check your headers to see whether they are still up to the latest standards. Instead of reading through MDN or similar sources, you can simply scan your own website using the https://securityheaders.com service by Scott Helme.
The service expects a url as input. I would suggest you activate the "Hide results" button due to the public rating system. The securityheaders.com servers will issue a request to your website and observe the response. The service will then calculate a score based on the results. The website offers a more detailed explanation of the score.
Once you scan your site, the website will return a security report, showing your score and other data. It also shows you an explanation of all the missing headers and why it may be a good idea to enable them.
This score of course is just general advice. Depending on your site it may not make sense to implement all of these. You can decide for yourself whether you need the features these headers offer or whether you choose not to implement them.
You can try it right now and get results instantly.
#2 SSL Labs
The Qualys SSL Labs website is similar in structure as the first service we talked about, albeit a little more complex. It assesses your website's SSL/TLS configuration and alerts you to any possible misconfigurations or out of date versions.
Given the fact that TLS is a highly complex topic, subject to continuous scrutiny of the cryptography community and that practical attacks were found in the past, it makes sense to regularly check your configuration with a tool like this.
The SSL labs website gives you a clear score and the reason for the rating. You can then decide whether or not you want to change the configuration. A great help is Mozilla's SSL Configuration Generator which can generate configurations for about every server software you might use. You can even choose whether you want the most secure option or the one with the widest support that is still reasonably secure.
While application security is often nuanced and complex, some of the fundamentals are easy to assess and quick to fix. Of course this doesn't guarantee you full security, but it gives you a foundation to build on.
If you want to get notified about future blog posts, with more tipps and tricks, please consider clicking the subscribe button to receive our newsletter. But of course it is your choice whether you want to receive emails from us or not.