Website Security Reports

Understanding and Addressing Website Security Reports

As a financial advisor, ensuring the security of your website is crucial, not just for your peace of mind but also to meet regulatory obligations. To help you navigate the complexities of website security scans and reports, we've compiled answers to the most common findings that arise in these security reports. This guide will help you understand these reports and when it’s necessary to seek support.

What are Website Security Reports?

Website security reports identify potential vulnerabilities in your site. They are often generated by services like Security Scorecard or insurance companies. Some findings may indicate genuine security concerns, while others may result from generic tools being used in the wrong context.

Understanding Our Approach

We understand that receiving these reports can be concerning and that you might expect us to address every issue to achieve a clean report. However, it's important to know that not all findings from these reports are relevant or actionable within the context of our platform.

Our current configurations are designed with the best interests of the majority of our clients in mind. We have carefully studied each identified issue and determined that our existing setup offers an optimal balance of security and functionality for our clients. Therefore, we may not implement every suggestion from these reports, especially if it does not align with our broader security strategy or compromises functionality.

Why We Stand By Our Current Setup

We are committed to maintaining a secure environment for all our clients. Our decisions are based on thorough analysis and industry best practices. While we appreciate the insights provided by these security reports, our priority is to ensure that any changes we make serve the overall best interests of our clients.

We want to be transparent with you: while we take every report seriously, we may not address every item listed, particularly if we believe our current measures are sufficient and effective.

If you have specific concerns or questions about the findings in your report, we are always here to discuss them with you. Your security and satisfaction are our top priorities.

Common Security Findings and What They Mean For Your FMG Website

1. Site Does Not Enforce HTTPS
   

   HTTPS (Hypertext Transfer Protocol Secure) ensures secure communication over the Internet. 

   Example: https://help.fmgsuite.com/en/

   While we enable HTTPS by default on our websites, we also accept insecure (HTTP) requests so we can redirect them to secure (HTTPS) requests. This is because we host public marketing websites where accessibility is the main concern, similar to billboards. We do not host transactional websites where the privacy of information is a concern, like a bank would. 

   When we receive an insecure request, our default response is to redirect to the secure (HTTPS) version of the site. We don't continue to interact insecurely after accepting the initial request; we will redirect the visitor to the secure version of the site.

2. Website Does Not Implement HSTS Best Practices
   

   HSTS stands for “HTTP Strict Transport Security” and notifies browsers that the site must be accessed only using HTTPS. 

   We support and automatically enable HSTS headers on our HTTPS URL locations. We intentionally do not enable HSTS headers on the HTTP URL locations for backward compatibility and migrations to/from other vendors. However, requests to HTTP URL locations are redirected to the HTTPS (secure) version of the site with a "301" redirect.

3. Website Does Not Implement X-Content-Type-Options Best Practices
   X-Content-Type-Options is web functionality that enables safety restrictions to be specified on what types of content are expected from a website.  As a design decision, our platform allows extensive customization of the websites we host.  To allow extensive customization of our hosted websites, we are less restrictive in this area. 
4. Content Security Policy (CSP) Missing
   A Content Security Policy (CSP) directive limits the sources from which a web browser can load content when rendering a site. Our platform allows extensive customization of the websites we host as a design decision. However, enabling that level of customization means we need to be less restrictive in this particular area. For clients who want to build their own CSP, they can do so by adding their policy to their site’s header.  
5. Websites Reference Object Storage
   

   FMG’s websites contain links to resources hosted on Amazon S3 buckets, which act as our file-hosting service. These websites are public-facing marketing sites, not private domains. We use Access Control Lists (ACLs) to ensure that these files are only accessible through the relevant pages on our websites and cannot be directly scanned or indexed by unauthorized parties. Our security team has reviewed this setup and confirmed that there are no security issues. We implement encryption at rest, enforce proper ACLs, and conduct regular audits of logs via SIEM.

   This is sometimes referred to as "Items in S3 Buckets aren't obfuscated."

When to Seek Support

Before contacting our support team, we encourage you to:

1. Review Your Report: Carefully read through your security report items.
2. Compare with Our Explanations: Check the specific items against the above explanations.
3. Document Specific Concerns: Identify and prepare questions about any particular items that are of concern to you or need further clarification. 

We recommend following these steps first so that you can provide precise questions if you need to contact support. This will allow us to offer more effective assistance. We do not recommend forwarding your website security reports to our support teams. 

Need Further Assistance?

If you have any specific questions or need additional support, please contact our customer support team. We're here to help!