Security Grade methodology — v1.0
1. HTTPS Enforcement — 10 pts
- 5 pts — final URL is served over HTTPS
- 5 pts — HTTP → HTTPS 301 redirect (no mixed-protocol bouncing)
2. HSTS Configuration — 10 pts
- 3 pts — Strict-Transport-Security header present
- 3 pts — max-age ≥ 31536000 (one year)
- 2 pts — includeSubDomains directive set
- 2 pts — preload directive set + domain on hstspreload.org list
3. Security Headers — ~20 pts cumulative
Same weight table as the Health Score security headers block — see /methodology/health-score. Notable in this category: CSP (6) and HSTS (already counted in §2) carry the heaviest weight because they prevent the largest XSS + downgrade attack classes.
4. Cookie Flags — 10 pts
- 4 pts — all cookies have Secure flag (cookies-only-over-HTTPS)
- 3 pts — all cookies have HttpOnly (not readable from JS)
- 3 pts — all cookies have SameSite (CSRF mitigation)
Partial pass (1 of N cookies missing flag) earns 1 pt instead of zero — ranking encourages incremental hardening rather than punishing legacy systems for any single misconfigured cookie.
5. Information Disclosure — 5 pts
- 2 pts — no Server: header leak (or generic value like nginx without version)
- 2 pts — no X-Powered-By: header (PHP / Express / etc. fingerprint)
- 1 pt — no .git / .env / debug paths exposed
Grade letter mapping
| Score | Grade |
|---|---|
| 50–55 | A+ |
| 45–49 | A |
| 38–44 | B |
| 30–37 | C |
| 20–29 | D |
| 0–19 | F |
References
- OWASP Secure Headers Project
- Chrome HSTS Preload List
- Mozilla Observatory — anchor methodology for grading
- OWASP XSS Reference
- OWASP HttpOnly Cookie Reference
Versioning
v1.0 — published 2026-05-05. Mirrors src/security.php as of HEAD on 2026-05-05. The category weights are author judgement based on attack-class blast radius (HTTPS + HSTS rated highest because their absence enables MitM + downgrade; information disclosure rated lowest because it is recon-only). Future weight changes bump the version + add a delta block.