Methodology
Transparent, reproducible scoring. No black boxes.
Every scan starts at 100 points. Points are deducted for each missing, misconfigured, or weak security control. The final score maps to a letter grade. Scores are capped at a minimum of 0.
Each finding is assigned a severity — Critical, Important, or Minor — which determines how many points are lost. Critical findings have an outsized impact on the grade; Minor findings are noted but do not sink a score on their own.
When a header is present but misconfigured (weak value), its severity is downgraded one level and the deduction is halved vs. the missing case.
| Finding | Severity | Deduction |
|---|---|---|
|
Content-Security-Policy missing
|
Critical | −20 pts |
|
CSP present but weakened
unsafe-inline, unsafe-eval, or wildcard (*) in script-src
|
Important | −10 pts |
|
Strict-Transport-Security missing
|
Critical | −20 pts |
|
HSTS max-age too short
max-age below 6 months (15 768 000 s)
|
Important | −10 pts |
X-Frame-Options missing |
Important | −10 pts |
|
X-Frame-Options invalid value
Must be DENY or SAMEORIGIN; CSP frame-ancestors is an accepted equivalent
|
Minor | −5 pts |
X-Content-Type-Options missing |
Important | −10 pts |
|
X-Content-Type-Options wrong value
Must be exactly nosniff
|
Minor | −5 pts |
Referrer-Policy missing |
Minor | −5 pts |
|
Referrer-Policy unsafe value
Present but value not in the safe list — may expose URL parameters to third parties
|
Minor | −2 pts |
Permissions-Policy missing |
Minor | −5 pts |
|
CORS wildcard (Access-Control-Allow-Origin: *)
Allows any origin to read responses — risk to authenticated endpoints
|
Important | −5 pts |
|
Server header exposes version number
e.g. nginx/1.24.0 — lets attackers target known CVEs
|
Minor | −3 pts |
|
X-Powered-By header present
Discloses server-side technology stack
|
Minor | −3 pts |
Expiry, self-signed, cipher, and protocol deductions are independent and cumulative (worst case: expired −30 + self-signed −20 + deprecated protocol −10 + weak cipher −10 = −70). Connection-error paths (SSLError, unreachable) are mutually exclusive with each other and with the certificate/cipher checks — only one applies per scan.
| Finding | Severity | Deduction |
|---|---|---|
Certificate expired |
Critical | −30 pts |
Expires within 14 days |
Critical | −20 pts |
Expires within 30 days |
Important | −10 pts |
Expires within 60 days |
Minor | −5 pts |
Self-signed certificate |
Critical | −20 pts |
|
Deprecated TLS protocol in use
SSLv2, SSLv3, TLSv1, TLSv1.1 — stacks independently with cipher and expiry deductions
|
Important | −10 pts |
|
Weak cipher suite in use
RC4, DES, 3DES, NULL, EXPORT, ANON — stacks independently with protocol and expiry deductions
|
Important | −10 pts |
|
TLS handshake or certificate verification failed
SSLError or cert verification error — no other TLS deductions applied in this path
|
Critical | −15 pts |
|
HTTPS not reachable on port 443
Connection refused, timed out, or unreachable — no other TLS deductions applied in this path
|
Critical | −20 pts |
Domain normalization: DNS records are always queried at the apex domain.
If you scan www.example.com, WebAudit resolves
DNS for example.com — SPF, DMARC, DKIM, CAA,
and DNSSEC records live at the apex, not on the www subdomain.
Subdomains are stripped automatically so the scan always reflects your domain's actual email security posture.
| Finding | Severity | Deduction |
|---|---|---|
SPF record missing |
Important | −3 pts |
|
SPF record invalid or multiple records
RFC 7208 permits exactly one SPF TXT record per domain
|
Important | −3 pts |
|
SPF weak policy
+all or ?all allow any sender to pass SPF
|
Minor | −3 pts |
DMARC record missing |
Important | −5 pts |
|
DMARC policy set to none
p=none monitors but takes no enforcement action
|
Minor | −3 pts |
|
DMARC policy unknown or invalid
Any p= value other than none / quarantine / reject — treated the same as a missing DMARC record
|
Important | −5 pts |
|
DKIM not detected
Checked against 12 common selectors; custom selectors may not be found
|
Minor | −2 pts |
|
CAA records missing
No Certification Authority Authorization records restrict certificate issuance
|
Minor | −2 pts |
|
DNSSEC not enabled
Checked via DS records at the domain registrar
|
Minor | −3 pts |
Deductions apply per insecure cookie. A page with many insecure cookies can accumulate significant point loss. SameSite issues are reported but do not currently affect the score.
| Finding | Severity | Deduction |
|---|---|---|
Secure flag missing |
Important | −5 pts |
HttpOnly flag missing |
Important | −5 pts |
|
SameSite=None or SameSite missing
Reported as a finding; no point deduction applied in current scoring
|
Minor | 0 pts |
These are modern, emerging headers not yet universally deployed. All three are scored as Minor — their absence is noted but does not materially impact the overall grade.
| Finding | Severity | Deduction |
|---|---|---|
|
Cross-Origin-Opener-Policy missing
Weak value (unsafe-none): −1 pt
|
Minor | −2 pts |
|
Cross-Origin-Embedder-Policy missing
Weak value (unsafe-none): −1 pt
|
Minor | −2 pts |
|
Cross-Origin-Resource-Policy missing
Weak value (cross-origin): −1 pt
|
Minor | −2 pts |
Checks performed by parsing the HTML body of the response. Each finding is binary — deducted once regardless of how many instances exist.
| Finding | Severity | Deduction |
|---|---|---|
|
Mixed content detected
HTTP resources loaded on an HTTPS page (scripts, images, iframes)
|
Important | −2 pts |
|
Subresource Integrity (SRI) missing
External scripts or stylesheets loaded without an integrity= attribute
|
Minor | −2 pts |
|
Base tag present
<base href> can be hijacked to redirect relative links to a malicious domain
|
Minor | −2 pts |