使用网站安全分析工具测试网站，得出结果为“F”，提示的安全问题就是JQuery版本较低、安全头信息。

所用的工具为：https://snyk.io/test/website-scanner/

JQuery版本1.9.1都不行么？？

引入的JQuery文件名为jquery-1.9.1.min.js，接着就直接改了文件名为jquery-3.5.1.min.js，文件内的版本号改成了3.5.1。

再次测试，竟然没有提示JQuery版本的问题了。？？？

安全头信息的问题

• Strict Transport Security
• X Content Type Options
• X Frame Options
• Content Security Policy
• X XSS Protection

在PHP文件中添加以下代码即可，

header("Content-Security-Policy: default-src 'self'; img-src https://*; child-src 'none'; script-src * 'unsafe-inline';");
header('X-Frame-Options:Deny');
header('Strict-Transport-Security: max-age=63072000');

header('X-XSS-Protection: 1');
header('Access-Control-Allow-Origin: *');

header('X-Content-Type-Options: nosniff');

其它语言可以查询相关添加头信息的方法。

此时再次测试，评分变成了“A”。

关于评分

How do we score a website security scan?

The highest grade you can get is an A+ and the lowest is an F. The grades are composed based on the following score:

• A+ for a score equal to or higher than 95
• A for a score equal to or higher than 75
• B for a score equal to or higher than 60
• C for a score equal to or higher than 50
• D for a score equal to or higher than 29
• E for a score equal to or higher than 14
• F for a score equal to or higher than 0

The scores are calculated based on the formula that Scott Helm has put together for https://securityheaders.com. The formula is public and includes a factor that lowers the score for any JavaScript vulnerabilities that are detected.

Security headers are scored as follows:

• Content-Security-Policy adds 25 points
• X-Frame-Options adds 20 points
• X-XSS-Protection adds 20 points
• X-Content-type-options adds 20 points
• Strict-transport-security adds 25 points, only if the website tested is on HTTPS

以上内容来自于https://snyk.io/blog/website-security-score-explained/，评定标准的一些解释。

其它

Mozilla HTTP Observatory，是Mozilla最近发布的一款名为Observatory的网站安全分析工具。

http-observatory github开源地址：https://github.com/mozilla/http-observatory