Trying Out Web Check
Introduction
I’m running Web-Check (GitHub - Lissy93/web-check: 🕵️♂️ All-in-one OSINT tool for analysing any website) on Unraid using Docker. This app was not yet available on the Community Applications (CA) but was quite easy to set up, so I took the opportunity to make my first contribution there. This app will also help optimize this site further!
Publishing the CA template
I followed a great video by IBRACORP to publish the CA template: Unraid Docker Apps: Top Tips for Community Publishing - YouTube
At the time of writing, I’m awaiting a response from the Unraid moderator. You can find the repository here: GitHub - iscsitarget/unraid-templates
Errors on the first run
During the first run, 7 out of the 37 jobs failed or were skipped:
- quality: Needed to add a Google Cloud API key to the template.
- tech-stack: Related to a Chromium binary issue. Could not fix.
- cookies: Skipped because no cookies found 😎
- mail-config: Unclear how to fix.
- rank: Skipped because the site is ranked too low 😒
- screenshot: Also related to Chromium. It did show a screenshot in the results though.
- features: Needed to add a BuiltWith API key to the template.
Actual first run
Despite fixing some issues, there were still 3 fails and 2 skips. Here’s an overview of interesting scan results for this site:
- WAF: ✅ Yes - Cloudflare
- HTTP -> HTTPS Redirect: ✅ Yes
- Security.txt File Present: ❌ No
- Internet Archive Snapshots: Some snapshots were taken, which I found interesting.
HTTP Security
- Content Security Policy: ❌ No
- Strict Transport Policy: ✅ Yes
- X-Content-Type-Options: ✅ Yes
- X-Frame-Options: ❌ No
- X-XSS-Protection: ❌ No
DNSSEC
TLS Security Issues
- CA Authorization❌
- Symantec Distrust:
path uses a root not trusted by Mozilla: C=US, O=Google Trust Services LLC, CN=GTS Root R4 (id=188409402) - Compatibility Config Issues (5)
- ecdsa-with-SHA256 is not an old certificate signature, use sha1WithRSAEncryption…
- consider adding ciphers ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY13…
- add protocols TLSv1.1, TLSv1, SSLv3
- add cipher DES-CBC3-SHA for backward compatibility
- use a certificate of the type rsa, not ECDSA
- Intermediate Issues (4)
- ecdsa-with-SHA256 is not an intermediate certificate signature, use sha256WithRS…
- consider adding ciphers ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY13…
- add protocols TLSv1.1, TLSv1
- use a certificate of type rsa, not ECDSA
- Modern Issues (2)
- remove ciphersuites ECDHE-ECDSA-AES128-SHA, ECDHE-ECDSA-AES256-SHA, ECDHE-RSA-AE…
- consider adding ciphers ECDHE-ECDSA-CHACHA20-POLY1305, ECDHE-RSA-CHACHA20-POLY13…
Steps Taken to Improve
- Enabled HSTS in Cloudflare (Dashboard -> SSL/TLS -> Edge Certificates)
- Set minimum TLS Version to 1.0 (Same page as above)
- Set SSL mode to Full (strict)
- Added a security.txt file, check it out 😁Rootify.net | Thomas Melkebeke
Added a _headers file:
/
Content-Security-Policy: default-src 'self'; script-src 'self' https://static.cloudflareinsights.com; style-src 'self' 'unsafe-inline'; img-src 'self' data:; object-src 'none'; frame-ancestors 'none';
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=blockNew Scan Results
- DNSSEC: Still shows problems, but other tools (e.g., dnsviz.net) indicate DNSKEY, DS, and RRSIG are fine.
- Quality wise the performance went up from 81% -> 88%, the other metrics are unchanged. There is still some work to be done here.
- The TLS Security Issues stayed the same, maybe it takes some time to renew. There are also more advanced TLS settings within Cloudflare but they require a paid subscription.
- Security.txt: ✅ Present. Not PGP signed, which is acceptable for now.
- HSTS Check: Still notes that the HSTS header does not include all subdomains. I didn’t want to modify this as to not interfere with subdomains (yet)
Final Thoughts
Web-Check is a useful tool for analyzing websites and can serve as a guideline to further optimize them. This project helped me learn about contributing to Unraid CA and optimizing my static website.
There is still work to be done on the development side to improve quality metrics (Performance, Accessibility, Best-Practices, and SEO), and I hope to address these soon.