Requirement
Websites must be moderately hardened to pass basic web vulnerability scans without any high to critical risk detections.
Moderately hardening means at least implementing the following basic controls:
- Configuring commonly expected security headers. Ie. Earning a grade between A-B based on SecurityHeaders.com.
- Minimising common sensitive disclosures (e.g. disabling directory listing, preventing username enumeration).
- Protecting commonly misued functions.
- Updating severely out-dated and vulnerable components (updating plug-ins, themes, libraries, etc.).
- Implementing known basic security controls specific to the website's platform (WordPress, Drupal, Joomla, Moodle, Kentico, etc.).
Limitations of meeting this requirement
Website owners are responsible for taking diligent steps to protect against vulnerabilities that would not be covered by our general automated web vulnerability scan. Meeting this requirement means passing a basic but common automated web vulnerability scan relevant to the website's platform. As such specific types of vulnerabilities are unlikely to be discovered, especially if they are known to require manual analysis, in-depth context and testing of multi-step functionalities. The following weaknesses are examples of what is out-of-scope in our automated verification scans to meet this requirement:
- Authentication
- Session Management
- Input Validation
- Malicious Software
- File Uploads
- Data Privacy and Compliance
- APIs and Web Services
- Any service other than HTTPS/HTTP at the website's domain address
Note to applicants: Mitigate-5 Certifications expire at the end of each calendar year. Renewal is automatic and does not require a new application. Re-verification checks are done between November and December of each year
Note to applicants: If any aspect of this requirement is unclear, please contact us.
Why harden a website
Hardening helps to minimise the attack surface (the angles of attack), which reduces the risk of a reduces the likelihood of a vulnerability existing and being exploited.
Mitigate-5 requires reasonable hardening for the following reasons:
- Protects Users - Hardening helps to protect users and their browsing sessions from compromise.
- Protects the website - Hardening protects websites against unauthorised access, losing confidential data and staying available to its intended users.
- Shows maturity - Applying reasonable controls are often noticeable to the internet at large and indirectly tells the internet that the website owners cares about protecting itself from malicious threats.
Before hardening a website
Website owners should consider the following:
- Research online for common vulnerabilities related to the website platform.
- Research online for hardening guides relating the website's platform (WordPress, Drupal, Joomla, Moodle, Kentico, etc.)
After hardening a website
Website owners should consider the following:
- Self-assess the applied security controls using both automated tools and manual checks