Frequently asked questions
What does my score mean?
What grades can my site get?
How do I get an A+ grade?
What headers do you check for?
What do the blue headers mean?
Can I raise a bug or request a feature?
Can we allow your IP addresses for scans?
We try and provide a fair score for all sites that we analyse and your score is representative of how many security based HTTP response headers your site issues.
Your site can score from an A+ grade down to an F grade. The R grade means the site responded with a redirect and you should follow the redirects using the link provided. There is more information on the scores here.
To get an A+ grade your site needs to issue all of the HTTP response headers that we check for. This indicates a high level of commitment to improving security for your visitors.
Over a HTTP connection we check for Content-Security-Policy, X-Content-Type-Options, X-Frame-Options and X-XSS-Protection. Over a HTTPS connection we check for 2 additional headers which are Strict-Transport-Security and Public-Key-Pins.
The blue headers are additional information that a site owner could look at. These are things like the value of the Server header or other platform specific headers like X-Powered-By divulging information about the software running on the server.
You can raise bugs or request new features right here!
These are the IPv4 and IPv6 addresses we use for scans if you'd like to allow them.