The two most common website security vulnerabilities we see all the time

It's a rare occurrence when we see a website have their security headers set with no JavaScript library vulnerabilities.

Author
David

Since we've been beta-testing our website auditor, we've reviewed enough sites to have a good handle on the common security vulnerabilities that plagues the web.  There are two main topical issues that are almost a certainty for new audits, even though they're easy fixes.

Very rarely do site administrators properly configure, or configure at all, their HTTP security headers.  These are instructions sent by the website to the visitor's browser telling it what it can and can't do by enforcing restrictions, making connections tighter and secure, thereby narrowing the attack surface.

Security headers are very easy to configure and low hanging fruit for improving security posture.  The Open Web Application Security Project sets guidelines for best security practice that every website should adopt, including security headers policy.

Neglecting something as basic and minimal as security headers sends a message to both web visitor and cybercriminal.  This bad practice tells the visitor that the website cares very little about their privacy and data protection, and cues criminals that common exploits are plentiful.

It's the equivalent of seeing messy bathrooms and dirty eating area at a restaurant.  If it's that bad in front of the customer, imagine how bad the kitchen must be.

The other problem a majority of sites have are JavaScript-related vulnerabilities, many of which are serious.  This happens because a website's maintenance is completely neglected, usually for years (we even see many as far back as 2012).

Allowing known JavaScript vulnerabilities on your website and exposing visitors is inexcusable.  The majority of site administrators seemingly care very little about the websites they manage and neglect updates while typically receiving a management or maintenance fee.

We recommend you check with your site administrator about these two issues to reduce exposure to your visitors.  We're more than happy to confirm.

These are by no means the only common security issues of the hundreds we've analyzed, but we say the number of sites with these two combined issues is close to 99%.