In this post, we review the web security posture of forbes.com

Let’s first browse to the website and view the security headers returned on the main site as well as the trackers used.

HTTP/2.0 200 OK
cache-control: public, max-age=300
content-encoding: gzip
content-type: text/html; charset=utf-8
server: istio-envoy
x-envoy-upstream-service-time: 513
backend: dnsresolver
x-backend: simple-site-prod
x-yourttl: 300.000
accept-ranges: bytes
x-frame-options: SAMEORIGIN
x-cicero-cache: HIT 125
accept-ranges: bytes
date: Mon, 14 Oct 2019 07:08:51 GMT
via: 1.1 varnish
x-served-by: cache-bur17546-BUR
x-cache: MISS
x-cache-hits: 0
x-timer: S1571036932.787387,VS0,VE61
vary: Accept-Encoding, X-is-EU, X-ABtesting
x-country-code: US
x-postal-code: 92009
x-region: CA
access-control-allow-credentials: true
content-security-policy: upgrade-insecure-requests
x-fast-original-x-backend: simple-site-prod
content-length: 62837
X-Firefox-Spdy: h2

In this server response, we see 2 headers which are correlated with improved security. The first, X-Frame-Options: SAMEORIGIN, protects the user from clickjacking. The second, Content-Security-Policy, only has one of the dozens of options set. Upgrade-Insecure-Requests specifies to the web browser to take any http:// URLs on the page, and submit them as https:// URLs. This is good in that it prevents the web browser from submitting insecure http:// requests, but this is a relatively minor security control.

Missing Security Headers

  • Referrer-Policy
  • Strict-Transport-Security (HSTS)
  • X-XSS-Protection
  • Feature-Policy
  • X-Content-Type-Options: NOSNIFF
  • X-Download-Options
  • Expect-CT

Account signup Security

When we navigate to blogs.forbes.com/account/register we get the following headers in the response:

HTTP/2.0 200 OK
server: Apache
cache-control: max-age=1, private, must-revalidate
expires: Tue, 15 Oct 2019 02:47:33 GMT
vary: Accept-Encoding
content-encoding: gzip
content-type: text/html; charset=UTF-8
backend: blogs
x-url: /account/register/
x-host: blogs.forbes.com
content-length: 4782
accept-ranges: bytes
date: Tue, 15 Oct 2019 03:42:24 GMT
x-frame-options: SAMEORIGIN
x-cache: HIT 3
via: 1.1 google
alt-svc: clear
X-Firefox-Spdy: h2

Interestingly enough, the account signup page seems to have less security controls on it than the main page! This is never good. They’re missing:

  • Referrer-Policy
  • Content-Security-Policy
  • Strict-Transport-Security (HSTS)
  • X-XSS-Protection
  • Feature-Policy
  • X-Content-Type-Options: NOSNIFF
  • X-Download-Options

The good news is that they are protected from clickjacking on the sign-up page due to X-Frame-Options being set to SAMEORIGIN. However, they also leak their web server type in the server header bolded above.

Final word on headers: Kudos to Forbes.com for getting a start on Content-Security-Policy and setting their X-Frame-Options to prevent clickjacking. However, with several important security headers missing such as Referrer-Policy, X-Content-Type-Options, and HSTS, we can only give them a C rating when it comes to HTTP security headers.

Header Score: C

Trackers

Upon visiting Forbes.com , my Firefox’s DuckDuckGo Privacy extension showed that Forbes was using 7 different trackers:

  1. contextual.media.net
  2. googletagmanager.com
  3. googletagservices.com
  4. native.sharethrough.com
  5. static.criteo.net
  6. c.amazon-adsystem.com
  7. z.moatads.com

That is quite a lot of tracking activity!

Tracking Score: D

Performance

Forbes.com seems to perform slower than average in Chrome, Firefox, and Safari.