Improve BleachBit.org Security

+1. Though, I thought Andrew did update the Content Security Policy when he switched to HTTPS, but perhaps I am mistaken. Anyways, it wouldn't hurt to add these as an extra layer for BleachBit website.

Hi!
BleachBit for Windows
Checked for viruses in VirusTotal (https://www.virustotal.com/) crammed troyans!
Eliminate.
The only alternative CCleaner.
I hope to fix it.

Carl: please see the recent discussion trojans about the false positives

Andrew

Checked (virustotal) Ad-Aware - 1 Trojan
Checked Ad-Aware -O Trojan
BleachBit Really safe?
How do you fix a reputation?
Andrew You do not know Russian? (Russian Language)

Carl. Anti-virus/anti-malware have false positives all the time. BleachBit is a popular tool that's been around for years. There has never been any malware in BleachBit before and there never will be. Also, BleachBit is open-source, too, so you can always check the source code for malicious code, if you don't feel safe.

Fear of infection is so great! Still not trust.
Do so that there are no false positives.
Good luck

Still some layers that can be added, in the order of importance:

• Content Security Policy (CSP) header not implemented
• X-XSS-Protection header not implemented
• HTTP Strict Transport Security (HSTS) header set to less than six months (15768000)
• Subresource Integrity (SRI) not implemented

Full report and further details on implementation:
https://observatory.mozilla.org/analyze.html?host=www.bleachbit.org

Hi Forday,

Yes, it would be good to add more web site security.

I am doing it in steps, while still managing the application and other work. A few days ago I added HTTPS to the last subdomain that did not support it, and now *.bleachbit.org forwards to HTTPS. Also, this week I enabled HSTS with a short max-age to check whether anything breaks. If this goes well, I will increase the max-age. I also looked into CSP, but the configuration for maximum security looks non-trivial.