Think of the internet like a huge phone book. When you want to go to a website, your computer needs to find the website’s number, called an IP address. Sometimes, bad people can give your computer the wrong number, leading you to a bad place instead of the website you want.

DNSSEC is like a safety check for the numbers your computer gets. It makes sure the number comes from a trusted source and hasn’t been changed by bad people. If the check passes, your computer knows it’s okay to go to the website – it’s like confirming that the number you have is really for your friend, not a stranger, keeping your website safe and secure.

For a more technical explanation, please refer to the ICANN guide here.

Guide to fix DNSSEC Not Enabled

No matter which website platform you use, keeping it secure is very important. DNSSEC (Domain Name System Security Extensions) is a way to make sure the information about your website is real and hasn’t been changed by an unknown third party.

To check your domain’s DNSSEC Status, use a tool to see if your website has DNSSEC protection already. Verisign Labs DNSSEC Analyser is a good option.

• If you are using Cpanel, please follow this guide to enable DNSSEC.
• If you’re using Cloudflare, here’s the guide to enable DNSSEC.
• For Wix websites, the ability to enable DNSSEC is unavailable.
• For WordPress sites, please follow either the guide for Cloudflare or Cpanel, as there are no plugins to assist with this task.

UpGuard has also created its own DNSSEC Risk guide.

Imagine the internet’s phone book has a special page where website owners list which key-makers (certificate authorities, or CAs) they trust to make keys (SSL certificates) for their websites. These keys are like special ID badges websites use to prove they are real. This special page is called a CAA record—Certificate Authority Authorization.

When a website doesn’t have this special page set up (CAA not enabled), it’s like saying, “Any key-maker can make keys for me.” This could be risky because a sneaky key-maker might make a fake key and trick people into thinking they’re visiting the real website – but they’re not.

Having a CAA record is like a website owner saying, “Only these specific key-makers can make keys for my website.” It’s a way to tell everyone which key-makers they trust. If someone tries to make a key with a key-maker not on the list, the real website owner gets alerted, helping prevent a hacking attempt and keeping visitors safe.

For a more technical explanation, please see Let’s Encrypt’s guide here.

Guide to adding a CAA record

If you want to make your website safer, you can add CAA (Certificate Authority Authorisation), records to your domain. Here’s how you can do it:

To check if you have a CAA record, please visit Entrust to search.

To add a CAA, please follow the following steps:

• If you are using Cpanel, please follow this guide to enable DNSSEC.
• If you’re using Cloudflare, here’s the guide to add a CAA record.
• For Wix websites, the ability to add a CAA record is unavailable.
• For WordPress sites, please follow either the guide for Cloudflare or Cpanel, as there are no plugins to assist with this task.

To assist with creating your CAA record, please visit SSLmate.com/caa.

Imagine the internet’s websites as houses in a big city. Each website has doors and windows, which are like web pages. A CSP, or Content Security Policy, is like a set of rules for what keys can open the doors and windows of your house. It tells your house to only accept keys from people you trust and not to let in keys from strangers.

When a CSP is not used, it’s like leaving your house’s doors and windows unlocked. Anyone, including hackers, can come in with their keys, injecting unwanted advertisements or harmful software, making the house unsafe for anyone visiting.

Using CSP is like setting up a security system for your house. It checks every key at the door to make sure only approved keys can unlock the doors and windows. If the key doesn’t match the approved list, the door stays locked, keeping everything safe inside. This helps make sure that everything in your house is supposed to be there, keeping everyone safe and secure.

For a more technical explanation, please see UpGuard’s CSP post.

Guide to implementing a CSP Policy on your website

To check if you have an existing CSP (Content Security Policy) active on your website, please run a test at https://cspvalidator.org.

To set up a successful CSP, it is recommended that you first identify what events, such as scripts, are running on your website. Running a CSP as report only can help you experiment with policies rather than strictly enforcing them and potentially causing issues to your websites operations.

There are numerous step-by-step guides to help you through the process of creating a CSP, including:

• How to create and deploy a Content Security Policy
• How to configure the Content Security Policy Header in WordPress
• Testing Content Security Policy (CSP) Headers

A great site scanning website to check your current CSP status before and after implementation can be found here.

• If you are using cPanel, please follow this guide to enable a CSP.
• If you’re using Cloudflare, here’s the guide to making CSPs easier with Page Shield.
• For Wix websites, the ability to add code for a CSP may be available by following this article.
• For WordPress sites, there are numerous plugins to assist you with creating a CSP. These include:
  • Headers Security Advanced & HSTS WP
  • Other options

Once you have created your CSP, use this website to test and evaluate your policy.

UpGuard has also created its own Content Security Policy explainer guide.

When you send out invitations to a party, you want to make sure only your friends get them, not anyone trying to trick them with fake ones. DMARC is like a set of rules for your email that helps your friends check if the invitations they get from you are real. If there are no DMARC rules, hackers can easily send fake invites, which can be dangerous.

Having a DMARC policy is like putting a special stamp on your invitations that only you have. This helps your friends know if the invitation is really from you. If it matches your rules, your friends know it’s safe. If it doesn’t, they can either throw it away or let you know. Not having a DMARC policy means there’s no specific way to check if emails from your domain are really from you, leaving room for hackers to send fake ones. Setting up a DMARC policy helps ensure that only real emails from you are accepted, keeping everyone safer.

For a more technical explanation, check out this definitive guide.

Guide to implementing a DMARC policy on your domain

To check your current setup, please inspect your domain here.

Prior to implementing a DMARC policy, a few initial steps need to be taken.

Both a Sender Policy Framework (SPF) record and a DomainKeys Identified Mail (DKIM) record need to be set up.

A guide to creating a SPF record can be found here. If you need help generating a SPF record, you can use this generator.

Here is the guide to creating a DKIM record. You can use this tool to generate a DKIM record.

Once you have set both of these records up, you can proceed with implementing your DMARC policy.

• If you are using cPanel, please follow this guide to implement your DMARC policy.
• If you’re using Cloudflare, here’s the guide to creating your DMARC policy and setting up your SPF and DKIM records.
• For Wix websites, please follow this guide to add your SPF and DKIM records and set up your DMARC policy.
• For WordPress sites, as your DNS settings need updating, please follow one of the guides above.

Once you have implemented your DMARC policy, you can test for its success here.

UpGuard has also created its own DMARC Risk guide.

Sending a secret letter to a friend is like using a special box with a key (like TLS, a security system for the internet). Not all locks and keys are equally strong. Hackers can easily open some (and these are the “weak cipher suites”).

Supporting weak cipher suites in TLS 1.2 is like using a flimsy lock for your secret box. Even though TLS 1.2 is like a newer, stronger type of box, using a weak lock means a hacker might still open it and read your secrets. This can happen even if they trick you into sending your box to the wrong address (like the DNSSEC analogy, where hackers mislead you to a bad website).

When a website supports weak cipher suites, it’s like they’re saying, “It’s okay to use flimsy locks for our secret boxes.” This makes it easier for hackers to break in and see the secrets being sent back and forth, like passwords or personal information.

To stay safe, websites need to only use strong locks for their secret boxes, ensuring that even if hackers get their hands on a box, they can’t open it and see the secrets inside.

For a more technical explanation, please visit Security Scorecard’s TLS Weak Cipher breakdown.

Guide to strengthening Weak Cipher Suites Supported in TLS 1.2

To check your current setup, please inspect your domain here.

• If you are using cPanel, please follow this guide to update your ciphers.
• If you’re using Cloudflare, here’s the guide to disable weak ciphers.
• For Wix websites, we are unsure whether this is an available option.
• For WordPress sites, as this is generally a server setting relating to your SSL certificate, it needs to be managed via one of the above options.

Once you have strengthened your ciphers, please run another test to check.

UpGuard has also created its own guide on how to identify and strengthen Weak SSL.

Imagine your picture frame can only show pictures from your family album or trusted friends. The “X-Frame-Options” setting is like a rule for your frame. If it’s not set to “DENY” or “SAMEORIGIN,” it has no rules and can show any picture from the internet. This can be risky because hackers might sneak in a harmful picture.

Setting “X-Frame-Options” to “DENY” means only your pictures are allowed. Setting it to “SAMEORIGIN” means only pictures from your website can be displayed. Not setting “X-Frame-Options” properly is risky, like leaving your front door unlocked. But setting it right keeps the hackers out.

For a more technical explanation, please check out this misconfigured X-Frame-Options guide.

Fixing X-Frame-Options is not DENY or SAMEORIGIN

To check your current setup, you can test your domain here.

• If you are using cPanel, please follow this guide to manage your X-Frame options.
• If you are using Cloudflare, this action is usually not handled via Cloudflare.
• For Wix websites, we do not believe this is an available option.
• For WordPress sites, there are numerous plugins that can assist with this task including:
  • Headers Security Advanced & HSTS WP
  • WP Anti-Clickjack
  • Really Simple SSL
  • Other options

Once you have fixed this issue, please run another test to check.

UpGuard has also created a guide to prevent clickjacking.

Imagine you’re at a bakery picking up a cake named “Chocolate Cake.” You trust the label and expect a chocolate treat. Now, picture the internet as a huge bakery, and the websites are the cakes. Like cakes, websites send content (like HTML, images, and videos) to your browser in packets (data packets).

The “label” on these packets is the content type, which tells your browser what’s inside (like HTML for a webpage or PNG for an image).

If “X-Content-Type-Options” isn’t set to “nosniff,” it’s like letting the bakery wrongly label cake boxes. Someone could say it’s “Chocolate Cake,” but put something else inside, like a lemon cake or even something not edible. When your browser gets a wrongly labelled packet, it guesses what’s inside instead of trusting the label. This guessing game can be unsafe, letting people sneak bad stuff onto your computer by pretending it’s harmless.

Setting “X-Content-Type-Options” to “nosniff” tells your browser not to guess what’s inside the packet but to trust the label. If it says it’s a HTML document, the browser treats it as HTML; if the label doesn’t match the content, the browser says no. This way, just like making sure you get the chocolate cake you want, your browser makes sure the content it deals with is exactly what it’s supposed to be and keeps you safe from hackers.

For a more technical explanation, read this guide.

Setting X-Content-Type-Options to ‘nosniff’

To check your current setup, you can test your domain here.

• If you are using cPanel, please follow this guide to manage your X-Content-Type-Options options.
• If you are using Cloudflare, this option is handled within the HSTS settings.
• For Wix websites, we do not believe this is an available option.
• For WordPress sites, numerous plugins can assist with this task, including:
  • Headers Security Advanced & HSTS WP
  • WP Anti-Clickjack
  • HTTP Headers
  • Other options

Once you have fixed this issue, please run another test to check.

Imagine you have a special mailbox in town that makes sure your letters stay safe and private. This is like using HTTPS online, which keeps your information secure when you visit websites.

If a website only has HTTP and doesn’t switch to HTTPS, it’s like choosing to use a regular, unsecured mailbox for your letters. This could put your information at risk.

When a website doesn’t automatically switch you from HTTP to HTTPS, it means it’s not making sure your information stays safe from the start. Without this switch, someone might be able to see your letters without you knowing.

But if a website does have the automatic switch, it’s like having someone there to guide you to the safe mailbox. This makes sure you stay protected without having to worry about it.

For a more technical explanation, visit UpGuard’s HTTPS Redirection Risk Exposure article.

How to fix HTTP does not redirect to HTTPS

To check if your website is redirecting HTTP to HTTPS, you can test your domain here.

• If you are using cPanel, please follow this guide to redirect HTTP to HTTPS.
• If you are using Cloudflare, this option is handled within the SSL/TLS settings.
• For Wix websites, redirection from HTTP to HTTPS can occur.
• For WordPress sites, numerous plugins can assist with this task, including:
  • Easy HTTPS Redirection (SSL)
  • Really Simple SSL
  • WP Force SSL & HTTPS SSL Redirect
  • Other options

Once you have fixed this issue, please run another test to check.

Imagine your computer has a special key to open your friend’s door. When you go to a website, your computer uses a kind of “key” (SSL certificate) to check if it’s the right “house” (website). The SSL certificate has the website’s name, like a label on the key showing which door it opens.

If the website’s name doesn’t match the name on the SSL certificate, it’s like having a key with the wrong address. Your computer then warns you, “Hey, this key isn’t for this door. Are you sure you’re in the right place?”

This happens when you visit a website with a different SSL certificate.

This warning is your computer’s way of telling you to be careful, because you might be going to the wrong website. Just like DNSSEC, the SSL certificate acts as a stamp of approval, making sure the website’s name matches the certificate. If they don’t match, it’s a sign that something might be wrong, helping keep you safe from mistakes or deceptions.

For a more technical explanation, check out UpGuard’s guide to resolving configuration risks.

How to fix Hostname does not match SSL certificate

To check that your SSL certificate matches your Hostname, test your domain here.

• If you are using cPanel, please follow this guide to troubleshoot this issue.
• If you are using Cloudflare, try their troubleshooting page.
• For Wix websites, you can try their help centre for support.
• For WordPress sites, please follow the guide for your relevant server location, as it is not handled within WordPress.

Once you have fixed this issue, please run another test to check.

Imagine you’re sending a letter to a friend. You can send it in a locked mailbox only you and your friend can open (like HTTPS), or in an open box where anyone can see it (like HTTP).

HTTP Strict Transport Security (HSTS) is like a rule you put on your letters telling your friend, “Use the locked mailbox from now on. Don’t use the open box anymore.” It makes sure your friend always sends letters to you securely, so nobody else can snoop on or mess with them.

If HSTS isn’t enforced, it’s like not having that rule. Even if you both normally use the locked mailbox, your friend might forget and use the open box, risking your communication.

Not enforcing HSTS leaves a door open for sneaky people to intercept your letters, read your private messages, or trick your friend. Enforcing HSTS closes this loophole by making sure that once you use the locked mailbox, it’s always used for future letters, and keeps your communication safe and private.

For a more technical explanation, visit this article.

Fixing HTTP strict transport security HSTS Not Enforced

To check your current setup, you can test your domain here.

• If you are using cPanel, please follow this guide to manage your HSTS options.
• If you are using Cloudflare, you can enable HSTS within the SSL/TLS settings.
• For Wix websites, we do not believe this is an available option.
• For WordPress sites, numerous plugins can assist with this task, including:
  • Headers Security Advanced & HSTS WP
  • HSTS Ready
  • Really Simple SSL
  • Other options

This process also requires you to add your domain to the HSTS preload list. Once the above has been actioned correctly, you can add your domain here.

Once you have fixed this issue, please run another test to check.

Upguard has also created a guide to prevent HTTP Attacks.