Health Score methodology — v1.0

1. Security Headers — 30 pts

Weights mirror the OWASP Secure Headers Project priority list. HSTS and CSP carry the heaviest weight because they prevent the largest attack classes (downgrade + script injection). Headers absent → 0 pts; present (any non-empty value) → full weight.

2. SSL/TLS — 25 pts

• 10 pts — valid certificate (chain trusted, not revoked)
• 5 pts — hostname matches CN/SAN
• 5 pts — expires in >30 days (3 pts if 7–30 days, 0 if <7)
• 5 pts — TLS 1.2 or TLS 1.3 negotiated

No HTTPS at all → 0 pts (entire 25-pt block lost). Standard reference: Mozilla Server-Side TLS Guidelines.

3. Performance — 25 pts

• 15 pts — TTFB < 800 ms (full); 10 pts if 800–1500 ms; 5 pts if 1500–3000 ms; 0 if >3000 ms
• 5 pts — response < 500 KB (3 pts if 500 KB–2 MB; 0 if >2 MB)
• 5 pts — 0–1 redirect hops (3 pts if 2; 0 if 3+)

TTFB thresholds match Google Core Web Vitals "Good" / "Needs Improvement" / "Poor" boundaries. Size + redirect penalties are author judgement calls based on what consistently degrades real-user experience in our RUM data.

4. Best Practices — 20 pts

• 8 pts — final URL is HTTPS
• 6 pts — response status 200 or 301/302 to a 200
• 3 pts — Content-Type header set
• 3 pts — response is gzip / br compressed

Grade letter mapping

References

• OWASP Secure Headers Project
• Mozilla Server-Side TLS Guidelines
• web.dev: Time to First Byte (TTFB)
• NIST SP 800-52 Rev. 2 — TLS Implementation Guidelines

Versioning

v1.0 — published 2026-05-05. Mirrors api/health-score.php as of commit fab3b25 (Wave 1 of the SEO audit). Future weight changes will bump the version + add a delta block at the bottom of this page so historical citations remain reproducible.

Run a health check →