Healthy Web

HKIRC has always attached great importance to the Internet security of .hk users. In order to improve the website security of .hk users, HKIRC will launch a new website initial security health checking service “Healthy Web” to assist .hk users to review the use of their website security technology by following the criteria of OWASP Top 10. If any material adverse findings such as the disability of application security setting or the use of vulnerable website servers, etc. have been discovered, HKIRC will inform users of the appropriate precautions so that they can understand the potential risks of the website as soon as practicable and strengthen their awareness of the need to protect it.

• Insecure data transfer
  The insecure HTTP (Hypertext Transfer Protocol) sends data as plain text, while HTTPS (Hypertext Transfer Protocol Secure) sends data encrypted. HTTPS provides secure data transfer, preventing interception and unauthorized access. Websites that handle sensitive data need HTTPS to ensure user privacy and prevent cyber attacks, making it a more secure option than HTTP.
• Poor Cookie setting
  Proper cookie settings for a web server include setting cookies to “secure,” and “httpOnly,” to prevent XSS and CSRF attacks, ensure secure transmission of sensitive data, and comply with data protection regulations.
  Related news: Hackers Steal Session Cookies to Bypass Multi-factor Authentication
• Disclosing Server version
  Disclosing web server versions can help attackers identify vulnerabilities and launch targeted attacks. Obscuring or hiding the version is a common security practice to minimize the risk of unauthorized access and data breaches.
• Information Disclosure
  Information disclosure can lead to security risks as attackers can use the disclosed information to launch cyber attacks. This includes sensitive data, usernames, passwords, and error handling that can compromise system security.
  Related news: SAP’s February 2023 Security Updates Patch High-Severity Vulnerabilities
• Improper Website Configuration
  Improper website configuration refers to settings that are not optimized for security, privacy, and performance. It includes misconfigured settings, found Third-party script and outdated or vulnerable JS library. Proper website configuration is vital to protect against cyber threats, ensure reliability, and comply with legal standards.
  Related news: Fortnite Flaws Allowed Hackers to Takeover Gamers’ Accounts

• By reviewing your website’s public disclosure information, you can have an overview and understanding of your website’s security condition. This allows you to have ongoing control and situational awareness of your website.
• It can point out potential vulnerabilities that may exist and can compromise your website. These are gateways for hackers to attack or even take control of your website, therefore and should be alerted and handled beforehand.
• It can help you find out if there are any misconfigured application settings on your website. This can be difficult to detect noticeable without using a healthy web program. Not only can application misconfigurations cause downtime, but they can be a serious security threat.
• It is possible to find out if there is a disability using the default configuration settings and application settings. The default configuration is only temporary and is used to launch the site. This configuration must be upgraded or changed. Otherwise, it will compromise the security of the application and the privacy of the users.
• Increase awareness of protecting your website. It can help to build good practices and awareness about continuously monitoring the security status of your own website.

• The process does not affect the operation of your website and does not require changes to technical settings or passwords.
• We would read request information and background information from the public server, such as public information in the html header, preview, response, cookie and time.
• A non-intrusive process will be used to assess the security and identify weakness of a website. Actionable report of recommendations on how users can adopt best practices and improve overall Internet security will be provided.

• All .hk domain user

• Please click here to fill the form for the application

• We proactively remind “.hk” users to be vigilant against potential online risks
• We conduct regular or ongoing website checks
• Clear and concise reports are provided to help users easily understand website risks
• Raise users’ awareness of website security

The Association of IT Leaders in Education (AiTLE) is an organization composed of information technology coordinators/teachers and computer science teachers responsible for IT education in Hong Kong primary and secondary schools. AiTLE regularly invites experts to conduct various security seminars to enhance the cybersecurity awareness of its members. It was one of the first organizations invited to participate in the Healthy Web service.

>> AiTLE

1. What is Healthy Web Programme?
   “Healthy Web” is a web screening programme which is using non-intrusive Internet Health Lookup tool that will reveal flaws and vulnerabilities in your website, analyze possible deviations, and provide advice on improvements and enhancements.
2. Why am I on the list of the Healthy Web Programme?
   The programme is a bundle service of membership benefits. If you are .hk domain owner, you are on the list.
3. What will we do in the process of Healthy Web Programme?
   The assessment will use a simple and quick method to read request information and background information from the public server, such as public information in the html header, preview, response, cookie and time. You may follow the below instructions by to get the similar result by yourself:

a. Press F12 or Ctrl+Shift+I to open DevTools in three common type of Browsers (Google Chrome, Microsoft Edge and Firefox)
b. Click the network tab and refresh the page to receive header
c. Go to the first row to find out the configuration at response header

4. What are the differences among Healthy Web programme and In-depth web security scan?
   In-depth web security scan will send packets or queries directly to specific assets while Healthy Web programme is non-intrusive process to read the preliminary information such as http response header.
5. Can I contact HKIRC for assistance when I receive the report?
   Yes. Apart from the detailed report, a free phone consultation will be offered to all participant per request. If you would consider to conduct a web security assessment, you can apply at here
6. Is there any impact if I do not wish to use the service?
   You may miss finding out any potential vulnerabilities and misconfiguration of network settings, etc. It may increase the chance of unknown risk.

Email: cybersec@hkirc.hk
Address: Unit 501, Level 5, Core C, Cyberport 3, 100 Cyberport Road, Hong Kong

Disclaimer: Healthy Web programme is a remote web checking service of the web-interfaced system conducted by HKIRC. The purpose of this testing service is to assist “.hk” users in reviewing the use of security technology on their website. Click here for more details