Some Issues With Whitehouse.gov

Thumbnail - Donald Trump - Make America Great AgainSome people just hate Trump. Maybe it’s his policies. Maybe they don’t like his attitude. Maybe they want to be the one to take him down, as it can boost their career. Me, I don’t hate him. I actually like him. I also like making websites, which is why I find the recent change to whitehouse.gov quite fascinating. It was recently switched from Drupal to WordPress. Was this a good move? It’s too early to tell, but there are some issues with the new website.

Building a website is a tough job. The purpose of this article isn’t to bash the president or his web team. It’s to make sure that the White House website isn’t part of some national scandal. As typical with launching a new website, there are some problems. I wasn’t even looking for trouble. I read about it on Reddit.

Apparently, according to the comments and a list on https://securityheaders.io/, the White House website got an “F” rating with Security Headers.

This is a fairly new feature in web development. Without getting too technical, when a server sends a web page to a visitor, it lets modern web browsers know what to expect from a website. As an example, if it’s Whitehouse.gov, then the header could specify that all of the associated files should only come from itself or a list of approved websites – such as a .gov website. Certainly, if a file from an .ru domain appears in the code, an alert should be triggered. Hackers can inject files into a website, causing the website to do nefarious things, such as stealing personal information from users or using their computers to mine bitcoins.

I didn’t run the scan, I merely saw the “F” grade in the “Recent Scans” list, but I did scan my own website. Photics.com received a bad grade too. I was surprised by this, as I thought I was properly setting security headers. The securityheaders.io website showed lots of other settings for headers. After reading up on the issue, I was able to properly harden this website.

Photics.com – Security Header Scan Results

Considering that the whitehouse.gov website is such a high-profile target, it might be a good idea to get that “F” grade to an “A” grade. That’s what I’m hoping the White House team does too. Harden their website against possible threats.

The website is using Google Analytics, so Google could be on the allowed list. But even better, bring web traffic reporting in-house. Use server log processing software to analyze web traffic. Today’s web surfers are more tech savvy. They can use add ons like “Ghostery” to block trackers. If you base your web reporting directly from server logs, the reporting is more accurate. True, more can be discovered about a user when using JavaScript tracking, but then use something like Piwik. It’s an alternative to Google Analytics. Piwik can be used to process raw logs. It can be called via JavaScript or PHP code.

The next issue is not a security issue. It’s an accessibly issue. Because it is a government website, it is required to be “accessible” to people with disabilities – such as blind people using screen reading software. Even without being a requirement, it’s nice thing to do. Again, this issue was mentioned in the conversation at Reddit.com. I didn’t see specifics mentioned, so I used the WAVE Toolbar to run an accessibility report.

White House – WAVE Accessibility Report

It’s nothing too major, but these issues should probably should be addressed…

Errors (2)

  • Empty form label
  • Missing or uninformative page title

Alerts (4)

  • Redundant alternative text
  • A nearby image has the same alternative text
  • Orphaned form label (x2)