Health Score methodology — how Enterno.io grades sites · v2.0

Anatoly Oshmanovsky

Health Score methodology — v2.0

Reviewed by Anatoly Oshmanovsky · Published 2026-05-05 · Updated 2026-06-02 · v2.0 · ← All methodologies

TL;DR. The 0–100 Enterno.io Health Score (v2.0) is built from six open categories worth 120 raw points, normalised to 0–100: 30 pts security HTTP headers, 25 pts SSL/TLS posture, 25 pts performance (response time + content size + redirects), 20 pts best practices (HTTPS-only, valid status, content-type), 10 pts cookie flags (HttpOnly/Secure/SameSite), and 10 pts CSP policy strength (same grader as the standalone /csp tool). Every weight is fixed in api/health-score.php and re-published here verbatim.

Changelog. v2.0 (2026-06-02) — added Cookies (10 pts) and CSP quality (10 pts) as distinct categories; the overall 0–100 number is now a normalisation of 120 raw points, so scores shifted slightly versus v1.0. v1.0 (2026-05-05) — initial four-category formula (security headers, SSL/TLS, performance, best practices).

1. Security Headers — 30 pts

Header	Weight
Strict-Transport-Security (HSTS)	6
Content-Security-Policy	6
X-Content-Type-Options	4
X-Frame-Options	4
Referrer-Policy	3
Permissions-Policy	3
X-XSS-Protection	2
Cross-Origin-Opener-Policy	2

Weights mirror the OWASP Secure Headers Project priority list. HSTS and CSP carry the heaviest weight because they prevent the largest attack classes (downgrade + script injection). Headers absent → 0 pts; present (any non-empty value) → full weight.

2. SSL/TLS — 25 pts

10 pts — valid certificate (chain trusted, not revoked)
5 pts — hostname matches CN/SAN
5 pts — expires in >30 days (3 pts if 7–30 days, 0 if <7)
5 pts — TLS 1.2 or TLS 1.3 negotiated

No HTTPS at all → 0 pts (entire 25-pt block lost). Standard reference: Mozilla Server-Side TLS Guidelines.

3. Performance — 25 pts

15 pts — TTFB < 800 ms (full); 10 pts if 800–1500 ms; 5 pts if 1500–3000 ms; 0 if >3000 ms
5 pts — response < 500 KB (3 pts if 500 KB–2 MB; 0 if >2 MB)
5 pts — 0–1 redirect hops (3 pts if 2; 0 if 3+)

TTFB thresholds match Google Core Web Vitals "Good" / "Needs Improvement" / "Poor" boundaries. Size + redirect penalties are author judgement calls based on what consistently degrades real-user experience in our RUM data.

4. Best Practices — 20 pts

8 pts — final URL is HTTPS
6 pts — response status 200 or 301/302 to a 200
3 pts — Content-Type header set
3 pts — response is gzip / br compressed

5. Cookies — 10 pts (v2.0)

4 pts — all Set-Cookie carry HttpOnly (partial credit pro-rata)
4 pts — all Set-Cookie carry Secure
2 pts — all Set-Cookie carry SameSite

A site that sets no cookies on the first response scores the full 10 — no cookies means no tracking/PII risk. Same flag heuristic as the standalone Cookie Security tool + its embeddable badge.

6. CSP — 10 pts (v2.0)

10 / 8 / 6 / 4 / 2 pts — CSP policy graded A / B / C / D / F
0 pts — no Content-Security-Policy header at all

The letter grade comes from the exact same grader as the standalone CSP Analyzer (src/csp-analyze.php) — directive coverage, unsafe-inline/unsafe-eval penalties, wildcard sources. A report-only policy is graded but flagged.

Normalisation

The six categories sum to 120 raw points. The published 0–100 score is round(raw / 120 × 100), clamped to 0–100. This keeps each category's internal weighting unchanged from v1.0 while folding in the two new dimensions.

Grade letter mapping

Score	Grade
90–100	A+
80–89	A
70–79	B
60–69	C
50–59	D
0–49	F

References

Versioning

v1.0 — published 2026-05-05. Mirrors api/health-score.php as of commit fab3b25 (Wave 1 of the SEO audit). Future weight changes will bump the version + add a delta block at the bottom of this page so historical citations remain reproducible.

Run a health check →

Interactive calculator

Drag the sliders to see how each axis moves the final score.

SSL days remaining 90 Uptime, % 99.5 Response p95, ms 800 Security score 80 SEO score 75

--

A

Run this on my site →