What are website security scores?
Website security scores are measured using security headers. In this article we explain what they are.


Your website needs security – without security anyone could copy, hack, infect your website with viruses or make it inaccessible to users. One of the ways to secure your website is through security headers. In this article we explain what they are and why it is important that they are up-to-date.


Where can i find our scores?

In the portal under Domains, you can see it in the last column 'security header score'. Scores rate from 1 (bad) to 10 (very good).



What are security headers and what do they do?

Security headers give an extra layer of security to your website. They tell your browser how to deal with the content of the website. Lupasafe checks different types of security headers on your website. Via an HTTP connection we check for Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Via an HTTPS connection we check for 2 extra headers, namely Strict-Transport-Security and Referrer policy. Below is an explanation of these terms:


  • Content security policy. This security header is an extra protection against Cross Site Scripting. You can use this to whitelist or blacklist certain script sources. You can therefore indicate exactly which scripts from which domains are allowed and which are not. Now, if a hacker places a script on your website via Cross Site Scripting, and the domain on which this script is located is not allowed, the script will never be executed.
  • X-Content type options. When your website loads files, for example a style sheet, the content type is also added to this file. In the example stylesheet you will see that the type is: text/css. When a file is uploaded that looks like a stylesheet, but is actually a piece of malicious code, this file will be executed as such. When you set the X-Content type options security header, you tell the browser not to guess anymore, but to interpret the file as indicated (so in the above example the malicious file would be interpreted as text/css and not malicious are).
  • X frame options. With the security header X-Frame options you can indicate whether your website may be loaded in an iframe. An iframe is a window in which you can load website content. You can also load an entire website in an iframe. So someone else could create a website with only an iframe and another website is loaded in that iframe (for example your website). This entails a risk. So someone can completely copy your website via an iframe.
  • X-XSS protection. Cross site scripting (XSS) is a widely used form of attack to hack websites. With XSS, an attacker injects malicious code into a website that can infect visitors to this website. A poorly secured form can be vulnerable to cross site scripting. An attacker will try to place script code in a form and then press "submit". A good form will recognize this script code and adjust it so that the code is harmless or will reject the code altogether. A bad form will accept the code, which places the code on the website.
  • HTTP Strict Transport Security (HSTS). With this security header you can arrange that web browsers are only allowed to access your website via a secure (https) connection. To set this security header, your website must of course use an SSL connection (secure connection, so https and a lock in the address bar of the browser).
  • Referrer policy. When your website contains a link to another website and a visitor clicks on that link, the visitor goes to that other website. The browser takes information about the website it came from (i.e. information about your website) to the website you go to. This information can be used in, for example, Google Analytics, you can use this information to see exactly from which referring sites people came to your site. However, you may not want information about your website to be passed on to websites you refer to. You can arrange this with the Referrer policy security header. There are a number of things you can set, I recommend that you set that no referral information is sent when you refer to a website that does not use https while you do use https yourself. So, do not send any information when the connection is downgraded.

How do I test the security of my website?

Lupasafe measures the security of your website and reflects this in our portal in real time. This way you can see at any time how safe your websites are.


When should I intervene and what should I do?

If the security of your website is not in order, you have to make adjustments. You may have to ask your web developer or web hosting party about this. We recommend following the recommendations for any score below an A.