How secure is this site?
There's no simple answer to this question. Nothing is ever "truly secure" in the sense that it will never be hacked, exploited, or prodded for vulnerabilities at some point in time. However, security best practice dictates that there are certain standards that should always be applied to any online platform in the sense that the owner or administrator has made every possible effort to secure it as much as is possible (or feasible in the sense that over hardening does not negatively impact the user experience).
Based on this approach, below are recent tests that have been conducted against this platform, and their relevant score or grade. In each screenshot, I've included an explanation as to why these settings are important
Certificate and SSL Test
SSL Certificates are small data files that digitally bind a cryptographic key to an organization’s details. When installed on a web server, it activates the padlock and the https protocol and allows secure connections from a web server to a browser. Typically, SSL is used to secure credit card transactions, data transfer and logins, and more recently is becoming the norm when securing browsing of social media sites.
Site Security Headers Test
Another major component of security a web server and any site that runs on it is to ensure that the "headers" being sent by that same server are in fact secure, and cannot be malformed in any way. A very common example of how data can be injected into sites without consent is XSS (Cross-Site Vulnerability).
Cross-Site Scripting (XSS) attacks are a type of injection, in which malicious scripts are injected into otherwise benign and trusted websites. XSS attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user within the output it generates without validating or encoding it.
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by the browser and used with that site. These scripts can even rewrite the content of the HTML page.
Protocol Security Compliance Test
Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are widely used protocols. They were designed to secure the transfer of data between the client and the server through authentication, encryption, and integrity protection.
TLS/SSL technology is commonly used in websites and web applications together with the HTTP protocol. It is also used by several other services and protocols, for example, email (SMTP, POP, and IMAP protocols), FTP, chat (XMPP protocol), virtual private networks (TLS/SSL VPNs), and network appliances.
To secure the transfer of data, TLS/SSL uses one or more cipher suites. A cipher suite is a combination of authentication, encryption, and message authentication code (MAC) algorithms. They are used during the negotiation of security settings for a TLS/SSL connection as well as for the transfer of data.