Scoring transparency for securityheaders.io

The new version of my HTTP header analysing service, https://securityheaders.io, was launched a little over a month ago and is doing really well! To ease myself into the New Year, I thought I'd start with a nice, simple blog to outline the scoring criteria for each grade.


securityheaders.io

I launched the original version of securityheaders.io almost a year ago and whilst fairly basic, it was functional and gave feedback on various HTTP response headers. For the second version I wanted to go a step further and I really loved the A+ through F grading system on the SSL Test built by Ivan Ristić, so I wanted to implement something similar. That is now up and running and you can head over and see the various scores that you can achieve, along with examples of them, on the main page.

Security Headers main page


Scoring

Given that the site seems to be gaining some traction, and based on feedback I've received, I wanted to open up the scoring criteria so it was a little more transparent. The scoring is fairly simple as there are only 4 headers I'm currently checking for over HTTP connections and 6 over HTTPS connection for now.

HTTP headers

  • CSP
  • XFO
  • XCTO
  • XXSSP

HTTPS additional headers

  • STS
  • PKP

This results in the following scoring matrix which you can view in full on Google Docs here and contains various examples.

scoring matrix


Feedback

In the near future I'm looking at adding support for other headers like the set-cookie header, to check for flags like secure and httpOnly, and the access-control-allow-origin header too. If you have any feedback, suggestions, ideas or comments, please drop them in the comment section below!

Author image
About Scott Helme