I am in an argument for a company we hired to create a web-site (strictly content). One of the things I asked for was that the web-site must score a B or higher at both https://casecurity.ssllabs.com and https://securityheaders.io . The web-site went live, then I ran the tests. We were getting a C on SSL Labs, and an F by SecurityHeaders. I told them they have to fix it. Now we are getting a B a SSL Labs and still getting an F at Securityheaders. I told them that needed to be fixed, but they are refusing, saying that a B from SSL Labs proves the web-site is secure. According to SecurityHeaders they need to add the following headers:
As a former software engineer I think is should be relatively easy to add them, and it is necessary. I wanted to get the opinion of others. Should web-sites score a B or better on both, or is it still secure if it scores an F on one? Am I being unreasonable by requiring at least a B on both?
Sep 7th 2018
10 months ago