Website security should be continuously considered when building or maintaining any website, not necessarily an afterthought or by the time its too late. One way to help prevent website security vulnerabilities is to set-up some basic best practice HTTP security headers. This can be achieved fairly simply with a bit of configuration. With these HTTP response headers in place it can help to prevent security vulnerabilities like Cross-Site Scripting, Clickjacking, Information disclosure and more.
A great tool I have found, which is freely available, to help analyse your websites security headers is Scott Helme's Security Headers website. Just enter your URL and hit Scan, you'll then be provided with a security report and a grade for your website. Looking at the statistics of scanned sites only 12.3% of the sites achieve a good grade of A to A+, the reaming 87.7% sites all require attention with grades between B to F.
As I have a keen interest in both football and development, I thought, out of interest, I'd test the Premier League clubs websites for these HTTP security headers. Below are the interesting results!
| Position | Club | Grade |
|---|---|---|
| 1. | West Ham | A |
| 2. | Arsenal | C |
| 3. | Aston Villa | D |
| 4. | Brentford | D |
| 5. | Brighton and Hove Albion | D |
| 6. | Chelsea | D |
| 7. | Crystal Palace | D |
| 8. | Everton | D |
| 9. | Manchester City | D |
| 10. | Manchester United | D |
| 11. | Newcastle | D |
| 12. | Leicester City | D |
| 13. | Southampton | D |
| 14. | Tottenham Hotspur | D |
| 15. | Watford | D |
| 16. | Wolverhampton Wanderers | D |
| 17. | Burnley | F |
| 18. | Norwich | F |
| 19. | Leeds | F |
| 20. | Liverpool | F |
Conclusion
As you can see there is one clear winner, West Ham's site has clearly taken website security more seriously. Arsenal secured a Champions League spot, however there is room for improvement.
The teams in the relegation zone are Burnley, Norwich, Leeds and surprisingly Liverpool. They haven't taken much action to secure their website headers, urgent attention is required.
The remaining clubs from 4 through to 16, including some big hitters such as Man City, Man Utd, Chelsea and Tottenham Hotspur need to take action.
18 of the 20 Premier League clubs should really consider improving their website security headers to achieve best security practices.
If you would like to know how to configure and set-up HTTP security headers in ASP.NET Core .NET 5 please read my blog article Set-up HTTP Security Headers in ASP.NET Core.