The past few days have seen some changes to the inner-workings of this website. In the main, the changes have been to increase security for the site and end users. I have added blocking techniques to prevent defacements, man in the middle attacks, etc., by inserting special header code into the website. HTTP response headers provide huge levels of protection, and it is important that sites on the web deploy them. Missing headers put users at risk.
Having researched what needed to be done over a couple of weeks, with the subsequent implementation, checking and comparing with other websites, I must admit that I have been alarmed at apparent omissions from a number of prominent websites that have received very poor F gradings, compared to my A grade.
And, on checking local government websites…
… I am not surprised at all, at their poor rankings, considering their never-ending amateurism:
In addition to the security tweaks, I have also submitted a request for the site to be included on the HSTS (http strict transport security) preload list – this is a hardcoded list of secure websites added to Chromium (six week wait). HSTS is a web security policy mechanism which helps to protect websites against protocol downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol.
Sadly, the HSTS list only contains around 3,000 websites worldwide that demand a secure connection. It is an appaling situation
If the submission to the Chromium list is accepted, when a visitor clicks onto my website, their browser will know automatically that https should be used, instead of waiting for a handshake, thus speeding up the connection. The HSTS Chromium list is propagated to other browsers, and is supported by:
|Internet Explorer||Internet Explorer 11+|
|Safari||Mavericks (Mac OS X 10.9)+|
How can you tell if your connection to a website is secure?
Look for the padlock in your browser address bar:
Be Careful Online:
In 2014, Google called for secure https website connections to be everywhere.
HTTPS security helps with credit card transactions, and the like. Unfortunately, take-up has been poor. Since early 2017, browsers have begun to warn users that connections are unsafe. And, in a push to make the web safer, Google announced that ranking boosts will apply to websites that are secure.
Don’t hand over sensitive information to insecure websites.
Some other changes have also taken place in the background of the website. Slight speed increases have been added too, such as link prefetching, and http/2 pushing of data. There have also been minor tweaks carried out to the mobile pages that are served up to visitors.
Website speed is important to those visiting, and detailed testing/analysis of my domain has shown that it is now 93% faster than most sites on the web… that is not a mean feat, considering that this is graphic heavy website. For example, click here to view the mobile version of this post.
An abridged copy of the analysis into this website can be seen here: GTmetrix speed analysis report.