Website and Marketing services by ForwardWeb

ForwardWeb - Branden

Coder
Contributor
Oct 8, 2018
64
6
8
Canada
Hi there folks, ForwardWeb has recently undergone a few rather massive design changes With our latest website build our main objective was to paint a clearer picture of who we are, what we do and what we are all about. We are also aiming to improve our ordering and client areas so feed-back is always welcome and appreciated. if you have not used our services before we provide Web Hosting, Web Development, Branding, Marketing and Print Services. Forward Web encompasses everything that is required to move your web presence well... Forward feedback and comments will all be considered reviewed and passed on to our founder as we strive to make the web a better place

 
Last edited:

Tealk

Coder
Jun 5, 2019
82
12
8
SysAdmin
Anzah.Tools
What I don't like so much is that a lot is downloaded from Google and that also in the login area.

the Security Headers could also be improved:


And the certificate should also be reconsidered. TLS1.0 and 1.1 are insecure but will be used for your client login! Unsafe ciphers are also used.

A list of all your domain prices would be nice. Always having to use the search first is cumbersome.
With all the fade-ins the website looks very sluggish.

I would remove the button and always display the navigation.
79
 
Last edited by a moderator:

Tealk

Coder
Jun 5, 2019
82
12
8
SysAdmin
Anzah.Tools
It's very hard for me to understand what you're trying to tell me.

You asked for feedback here and I gave you my feedback you are welcome to give it to your founder. If you have any questions I will be happy to answer them.
But I wouldn't buy anything from you if your website already had so many gaps.
 
Last edited by a moderator:

Forward Web

New Coder
Jun 7, 2019
4
0
1
Modesto, CA
forwardweb.net
What I don't like so much is that a lot is downloaded from Google and that also in the login area.

the Security Headers could also be improved:

And the certificate should also be reconsidered. TLS1.0 and 1.1 are insecure but will be used for your client login! Unsafe ciphers are also used.

A list of all your domain prices would be nice. Always having to use the search first is cumbersome.
With all the fade-ins the website looks very sluggish.

I would remove the button and always display the navigation.
View attachment 79
Thank you for the great feed-back and taking the time to review our website.

In regards to the navigation, we've been experimenting with collapsed menus to create more of a bridge between the mobile and desktop experience. We are still in the process of collecting enough data to determine whether or not this is an effective approach or not.

We'll definitely take your thoughts regarding the domain name prices into consideration. At the moment we only offer 6 TLD's and they are all priced at $14.95, as we get more into offering different domain name extensions we will continue to improve that area.
 

Forward Web

New Coder
Jun 7, 2019
4
0
1
Modesto, CA
forwardweb.net
And the certificate should also be reconsidered. TLS1.0 and 1.1 are insecure but will be used for your client login! Unsafe ciphers are also used.

We have had TLS 1.2 enabled for quite sometime and although I agree that one should not be using TLS 1.0 or 1.1 to communicate with a server or application, supporting 1.0 and 1.1 does not inherently make a website insecure, nor should it be a cause for concern. If the question is why we are still supporting TLS 1.0 and 1.1, like many in the industry we have this scheduled for the end of 2019/early 2020.
 

Tealk

Coder
Jun 5, 2019
82
12
8
SysAdmin
Anzah.Tools
At the moment we only offer 6 TLD's and they are all priced at $14.95,
but that was also not obvious because often it says that it costs from xx and that is then only the cheapest domain.

like many in the industry we have this scheduled for the end of 2019/early 2020.
And what is the meaning of dragging outdated and unsafe things with?
To remove this doesn't even take a minute and to compare yourself with others in negative points is not very advantageous.
Just because others do something doesn't make bad things any better.

and of course in 2020 all tls 1.0 and 1.1 will be set to off because otherwise chrome will bring a warning and that would be bad for advertising. But it is unnecessary to wait so long.
There are enough possibilities to use these old encryption methods to endanger your system. That would be far too dangerous for my project.

I have to say that not a single security header is set and so it is possible to load third party scripts to get account data or similar fatal problems.

through all these "gaps" you don't feel secure and you have to ask yourself how secure the servers are configured if the website already has so many easy to close gaps.

it is going very slowly but more and more webmasters are interested in this topic and if you don't have all these gaps you could use it as advertising and figurehead.
 

Forward Web

New Coder
Jun 7, 2019
4
0
1
Modesto, CA
forwardweb.net
it is possible to load third party scripts to get account data or similar fatal problems.
Incorrect and its important to understand exactly what security headers are and what purpose they actually serve. Having or not having security headers added to your website is not going to inherently make your website more secure, much like adding an ADT Security sign in front of your house is not going to do you any good if you've left the back door or front door of your house wide open.


through all these "gaps" you don't feel secure and you have to ask yourself how secure the servers are configured if the website already has so many easy to close gaps.
I think this is a good point, we definitely want our clients and potential clients to feel safe. However one could also make an argument that if your using security headers and TLS support as a means for determining how secure a website is, all you are doing is looking for a false sense of security. The best way to find out how secure your website is to ask some questions, I.e what are your concerns and what are we doing to protect you from those concerns..ect. As another example, if your concern was in fact security headers, we simply would have told you that we have mod_headers enabled and you are free to set these at your discretion via .htaccess.

it is going very slowly but more and more webmasters are interested in this topic and if you don't have all these gaps you could use it as advertising and figurehead.
This is great to hear and something we very much encourage. I cant tell you how many times a month we have to tell someone tthat it doesnt matter how secure our server is, if your website is full of vulnerabilities, there is not much we can do. Part of what we do at Forward Web is attempting to bridge the gap between developer and system administration so that we can build and deploy more robust applications. To this day one of the most common support tickets we get from developers/webmasters is regarding why FTP is not working, which is surprising yet the reality of how slow people are to adapt to new, more secure methods.
 

Tealk

Coder
Jun 5, 2019
82
12
8
SysAdmin
Anzah.Tools
Incorrect
So the X-XSS-Protection header does not increase the protection against XSS attacks?

it should be self-evident that the header are not a panacea but to do without it could be classified as negligent.
The only one that is difficult to handle is the "Content-Security-Policy" header all others can be set with very high probability without any problems.

all you are doing is looking for a false sense of security.
It's not about your product but about your appearance and what message it makes.
I do not create an account with any bank if the website contains third party scripts. Such a thing is simply grossly negligent.

That's why I thought it would be positive for them if their website shines with the right settings.

And of course it's also important how the server is configured but I can't check that easily but assume that it's similar to the website. I have only few clues and if these already do not look good... I think they can understand my train of thought.

I don't have any interest to talk badly about your project and the fact that you are dealing with me here about this topic is very positive to become because I know enough companies that simply ignore feedback. I would like to praise them for that.
 

Forward Web

New Coder
Jun 7, 2019
4
0
1
Modesto, CA
forwardweb.net
So the X-XSS-Protection header does not increase the protection against XSS attacks?
If we are talking about 2019, shared web hosting with an established web hosting company. I am going to say no. If you have your website hosted with Joe the web host that has a whopping 3 months of experience (no experience), then sure, adding the X-XSS-Protection header can provide some form of protection. Much like a bullet proof vest might provide some form of protection when walking through a huge gun battle. However I like to think most web hosting companies have more in depth methods of protecting against X-XSS attacks aside from using the X-XSS-Protection header.

it should be self-evident that the header are not a panacea but to do without it could be classified as negligent.
Could also be viewed as un-necessary. However you do bring up some good points about perception, which if we are in the business of web hosting, we need to take a look at.

i
I don't have any interest to talk badly about your project and the fact that you are dealing with me here about this topic is very positive to become because I know enough companies that simply ignore feedback. I would like to praise them for that.
Truly, all feed-back is appreciated, people like your-self is how we grow and improve our business.
 

ForwardWeb - Branden

Coder
Contributor
Oct 8, 2018
64
6
8
Canada
Hi that is why I said before we take all feedback seriously because we do :) it's good to talk things out a security concern is important I think what made me a little confused I believe security concerns are best handled privately so we can discuss them and fix what may or may not need addressing as is common practice under Responsible disclosure take for example what happened with https://www.wordfence.com/blog/2019/03/recent-social-warfare-vulnerability-allowed-remote-code-execution/ this issue left them scrambling and still hurting today granted they are now better and it was a lesson for them they would have done the same with much less headaches on both sides if properly disclosed right? as long as we all learn something that it what matters right ?
 
Last edited: