Your website must offer HTTPS.
We check if your website is reachable on HTTPS. If so, we also check whether HTTPS is configured sufficiently secure. HTTPS guarantees the confidentiality and integrity of the exchanged information. Because it is situation depended how (privacy) sensitive and valuable information is, a secure HTTPS configuration is important for every website. Even trivial, public information could be extremely sensitive and valuable for a user.
We check if your web server enforces HTTPS by a 301/302 redirect from HTTP to HTTPS on the same domain, or by supporting only HTTPS. In case of redirecting, a domain should firstly upgrade itself by redirecting to its HTTPS version before it may redirect to another domain. This also ensures that the HSTS policy will be accepted by the web browser.
We check if your web server supports HSTS. HSTS forces a web browser to connect directly via HTTPS when revisiting your website. This helps preventing man-in-the-middle attacks. We consider a HSTS cache validity period of at least six months to be sufficiently secure. A long period is beneficial because it also protects infrequent visitors.
We test if your web server supports HTTP compression. HTTP compression makes the secure connection with your webserver vulnerable for the BREACH attack. Turning it off could negatively impact the performance of the web server. If you use it, check if it is possible to take countermeasures on the application level against the attack vector.