We have recently hardened our web server security, giving Runbox an A+ rating on securityheaders.io — in addition to our existing A+ rating on ssllabs.com.
The policies we have implemented are the following:
X-Frame-Options: Tells the browser that we don’t allow the Runbox web site to be framed (included) by other web sites, which defends against attacks like click-jacking.
HTTP Strict Transport Security: Strengthens our implementation of Transport Layer Security (TLS) by making the browser enforce the use of encrypted communication (HTTPS).
Content Security Policy: Protects our web site from Cross-Site Scripting (XSS) attacks.
HTTP Public Key Pinning: Protects us from from Man-in-the-Middle attacks by making sure the TLS certificates used by the browsers are the ones implemented on our servers.
X-XSS-Protection: Sets the configuration for the cross-site scripting filters built into most browsers.
X-Content-Type-Options: Forces browsers to use the declared file content type instead of trying to be too clever, which helps to reduce the danger of drive-by downloads.
These changes will help ensure that your use of Runbox is as safe and secure as possible, and we will continue making security-related improvements in the future.