Author here - I should maybe have made the disclaimer at the end more prominent - "All the bugs were discovered, verified, and reported. Any issued tickets were canceled and not used."

testssl.sh is also great for testing internal servers which aren't internet accessible.

HTTPSecurityReport - https://httpsecurityreport.com - Disclaimer: I'm the creator.

Site Scan from MS - https://dev.windows.com/en-us/microsoft-edge/tools/staticsca...

Subresource Integrity scanner - https://sritest.io/

Maybe you can add HTTP2/SPDY detection too. BTW your HSTS test does not verify if the format/syntax is correct.

--

These are all good but I would include the following:

Qualys SSL Server Test - The first site I use.

testssl.sh - for behind the fireware testing

https://tls.imirhil.fr/ - this one is nice because it shows the ciphers used/avail broken down by TLS version. I have not seen any other site do this.

Thanks for these! I like that yours covered a lot more than the one OP posted.

Thanks, glad to hear it!

HTTPSecurityReport is great! Thank you!

If you apply the sandbox attribute to the iframes it should be ok. It allows fine grained control of what the iframe is allowed to do. Scripts, navigation, popups, etc. are forbidden except explicitly allowed.

Also, please don't enable JS within the "sandbox".

JS is nowhere near as secure as it is often toted as being. You don't want to find yourself being host to a zero-day attack.

I'd be wary about that.

If nothing else, what happens if someone visits the site without support for `sandbox`? You best option (not displaying it if the browser doesn't support it) breaks the site for users without JS, or that don't have support `sandbox`.

Good point. But the sandbox attribute is around 90% [1] of browsers. The number of browsers which don't support it and don't run javascript may be too low to make supporting them practical, but YMMV.

[1] http://caniuse.com/#feat=iframe-sandbox

It's IE 8 and 9 that I'd be most worried about in terms of malice.

And I'd be one of those users who would be cut out by JS requirements. Just so you know, that number is not zero.