Last Updated: 2024-02-27 leo@mozilla.com Author: april@mozilla.com
All websites start with a baseline score of 100, and receive penalties or bonuses from there. The minimum score is 0, but there is no maximum score. Bonus points are only awarded if the site's score without them is 90 (A) or greater. Currently, the highest possible score in the HTTP Observatory is 135.
Although both the letter grade ranges and modifiers are essentially arbitrary, they are based on feedback from industry professionals on how important passing or failing a given test is likely to be.
| Scoring Range | Grade |
|---|---|
| 100+ | A+ |
| 90-99 | A |
| 85-89 | A- |
| 80-84 | B+ |
| 70-79 | B |
| 65-69 | B- |
| 60-64 | C+ |
| 50-59 | C |
| 45-49 | C- |
| 40-44 | D+ |
| 30-39 | D |
| 25-29 | D- |
| 0-24 | F |
| Cookies | Description | Modifier |
|---|---|---|
| cookies-secure-with-httponly-sessions-and-samesite | All cookies use the Secure flag, session cookies use the HttpOnly flag, and cross-origin restrictions are in place via the SameSite flag | 5 |
| cookies-not-found | No cookies detected | 0 |
| cookies-secure-with-httponly-sessions | All cookies use the Secure flag and all session cookies use the HttpOnly flag |
0 |
| cookies-without-secure-flag- but-protected-by-hsts |
Cookies set without using the Secure flag, but transmission over HTTP prevented by HSTS |
-5 |
| cookies-session-without-secure-flag- but-protected-by-hsts |
Session cookie set without the Secure flag, but transmission over HTTP prevented by HSTS |
-10 |
| cookies-without-secure-flag | Cookies set without using the Secure flag or set over http |
-20 |
| cookies-samesite-flag-invalid | Cookies use SameSite flag, but set to something other than Strict or Lax | -20 |
| cookies-anticsrf-without-samesite-flag | Anti-CSRF tokens set without using the SameSite flag | -20 |
| cookies-session-without-httponly-flag | Session cookie set without using the HttpOnly flag |
-30 |
| cookies-session-without-secure-flag | Session cookie set without using the Secure flag or set over http |
-40 |
| Cross-origin Resource Sharing (CORS) | Description | Modifier |
|---|---|---|
| cross-origin-resource-sharing- implemented-with-public-access |
Public content is visible via cross-origin resource sharing (CORS) Access-Control-Allow-Origin header | 0 |
| cross-origin-resource-sharing- implemented-with-restricted-access |
Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains | 0 |
| cross-origin-resource-sharing-not-implemented | Content is not visible via cross-origin resource sharing (CORS) files or headers | 0 |
| xml-not-parsable | crossdomain.xml or clientaccesspolicy.xml claims to be xml, but cannot be parsed | -20 |
| cross-origin-resource-sharing- implemented-with-universal-access |
Content is visible via cross-origin resource sharing (CORS) file or headers | -50 |
| Content Security Policy | Description | Modifier |
|---|---|---|
| csp-implemented-with-no-unsafe-default-src-none | Content Security Policy (CSP) implemented with default-src 'none' and without 'unsafe-inline' or 'unsafe-eval' |
10 |
| csp-implemented-with-no-unsafe | Content Security Policy (CSP) implemented without 'unsafe-inline' or 'unsafe-eval' |
5 |
| csp-implemented-with-unsafe-inline-in-style-src-only | Content Security Policy (CSP) implemented with unsafe directives inside style-src. This includes 'unsafe-inline', data:, or overly broad sources such as https:. |
0 |
| csp-implemented-with-insecure-scheme-in-passive-content-only | Content Security Policy (CSP) implemented, but secure site allows images or media to be loaded over http | -10 |
| csp-implemented-with-unsafe-eval | Content Security Policy (CSP) implemented, but allows 'unsafe-eval' |
-10 |
| csp-implemented-with-insecure-scheme | Content Security Policy (CSP) implemented, but secure site allows resources to be loaded from http | -20 |
| csp-implemented-with-unsafe-inline | Content Security Policy (CSP) implemented unsafely. This includes \'unsafe-inline\' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src. |
-20 |
| csp-not-implemented | Content Security Policy (CSP) header not implemented | -25 |
| csp-header-invalid | Content Security Policy (CSP) header cannot be parsed successfully | -25 |
| HTTP Strict Transport Security | Description | Modifier |
|---|---|---|
| hsts-preloaded | Preloaded via the HTTP Strict Transport Security (HSTS) preloading process | 5 |
| hsts-implemented- max-age-at-least-six-months |
HTTP Strict Transport Security (HSTS) header set to a minimum of six months (15768000) | 0 |
| hsts-implemented- max-age-less-than-six-months |
HTTP Strict Transport Security (HSTS) header set to less than six months (15768000) | -10 |
| hsts-not-implemented | HTTP Strict Transport Security (HSTS) header not implemented | -20 |
| hsts-not-implemented-no-https | HTTP Strict Transport Security (HSTS) header cannot be set for sites not available over https | -20 |
| hsts-invalid-cert | HTTP Strict Transport Security (HSTS) header cannot be set, as site contains an invalid certificate chain | -20 |
| hsts-header-invalid | HTTP Strict Transport Security (HSTS) header cannot be recognized | -20 |
| Redirections | Description | Modifier |
|---|---|---|
| redirection-all-redirects-preloaded | All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list | 0 |
| redirection-to-https | Initial redirection is to https on same host, final destination is https | 0 |
| redirection-not-needed-no-http | Not able to connect via http, so no redirection necessary | 0 |
| redirection-off-host-from-http | Initial redirection from http to https is to a different host, preventing HSTS | -5 |
| redirection-not-to-https-on-initial-redirection | Redirects to https eventually, but initial redirection is to another http URL | -10 |
| redirection-missing | Does not redirect to an https site | -20 |
| redirection-not-to-https | Redirects, but final destination is not an https URL | -20 |
| redirection-invalid-cert | Invalid certificate chain encountered during redirection | -20 |
| Referrer Policy | Description | Modifier |
|---|---|---|
| referrer-policy-private | Referrer-Policy header set to no-referrer or same-origin, strict-origin or strict-origin-when-cross-origin |
5 |
| referrer-policy-no-referrer-when-downgrade | Referrer-Policy header set to no-referrer-when-downgrade |
0 |
| referrer-policy-not-implemented | Referrer-Policy header not implemented |
0 |
| referrer-policy-unsafe | Referrer-Policy header unsafely set to origin, origin-when-cross-origin, or unsafe-url |
-5 |
| referrer-policy-header-invalid | Referrer-Policy header cannot be recognized |
-5 |
| Subresource Integrity | Description | Modifier |
|---|---|---|
| sri-implemented- and-all-scripts-loaded-securely |
Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin | 5 |
| sri-implemented- and-external-scripts-loaded-securely |
Subresource Integrity (SRI) is implemented and all scripts are loaded securely | 5 |
| sri-not-implemented- but-all-scripts-loaded-from-secure-origin |
Subresource Integrity (SRI) not implemented as all scripts are loaded from a similar origin | 0 |
| sri-not-implemented- but-no-scripts-loaded |
Subresource Integrity (SRI) is not needed since site contains no script tags | 0 |
| sri-not-implemented- response-not-html |
Subresource Integrity (SRI) is only needed for html resources | 0 |
| sri-not-implemented- but-external-scripts-loaded-securely |
Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https | -5 |
| request-did-not-return-status-code-200 | Site did not return a status code of 200 (deprecated) | -5 |
| sri-implemented- but-external-scripts-not-loaded-securely |
Subresource Integrity (SRI) implemented, but external scripts are loaded over http | -20 |
| html-not-parsable | Claims to be html, but cannot be parsed | -20 |
| sri-not-implemented- and-external-scripts-not-loaded-securely |
Subresource Integrity (SRI) is not implemented, and external scripts are not loaded over https | -50 |
| X-Content-Type-Options | Description | Modifier |
|---|---|---|
| x-content-type-options-nosniff | X-Content-Type-Options header set to nosniff |
0 |
| x-content-type-options-not-implemented | X-Content-Type-Options header not implemented |
-5 |
| x-content-type-options-header-invalid | X-Content-Type-Options header cannot be recognized |
-5 |
| X-Frame-Options | Description | Modifier |
|---|---|---|
| x-frame-options-implemented-via-csp | X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive |
5 |
| x-frame-options-allow-from-origin | X-Frame-Options (XFO) header uses ALLOW-FROM uri directive |
0 |
| x-frame-options-sameorigin-or-deny | X-Frame-Options (XFO) header set to SAMEORIGIN or DENY |
0 |
| x-frame-options-not-implemented | X-Frame-Options (XFO) header not implemented |
-20 |
| x-frame-options-header-invalid | X-Frame-Options (XFO) header cannot be recognized |
-20 |
| X-XSS-Protection | Description | Modifier |
|---|---|---|
| x-xss-protection-enabled-mode-block | X-XSS-Protection header set to 1; mode=block |
0 |
| x-xss-protection-enabled | X-XSS-Protection header set to 1 |
0 |
| x-xss-protection-disabled | X-XSS-Protection header set to 0 (disabled) |
0 |
| x-xss-protection-not-implemented | X-XSS-Protection header not implemented |
0 |
| x-xss-protection-header-invalid | X-XSS-Protection header cannot be recognized |
-5 |