https://github.com/mozilla/http-observatory-cli [~/src/treeherder]$ httpobs treeherder.mozilla.org Score: 25 [E] Modifiers: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -5] X-Content-Type-Options header not implemented [ -10] Contribute.json file missing from root of website [ -10] X-XSS-Protection header not implemented [ -20] X-Frame-Options (XFO) header not implemented [ -25] Content Security Policy (CSP) header not implemented The X-Content-Type-Options, X-XSS-Protection and X-Frame-Options entries will be dealt with once bug 1247344 lands. Contribute.json is the existing bug 1186912. This leaves: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -25] Content Security Policy (CSP) header not implemented The not-same-origin JS we load (that triggers the SRI entry) is all from Persona, so will go away once we move away from it. I'll file a new bug for CSP.

Now that bug 1247344 has landed on stage... [~/src/treeherder]$ httpobs -r treeherder.allizom.org Score: 60 [C+] Modifiers: [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -10] Contribute.json file missing from root of website [ -25] Content Security Policy (CSP) header not implemented

Latest grade is B: https://observatory.mozilla.org/analyze.html?host=treeherder.mozilla.org Remaining areas where points can be had: - CSP (bug 1270157) - SRI (bug 1289471) - (Bonus points only) HPKP - (Bonus points only) HSTS preloading (but not really possible on a subdomain, so blocked on mozilla.org doing this; see bug 1289421 comment 3)