Scoring transparency for securityheaders.io

The new version of my HTTP header analysing service, https://securityheaders.io, was launched a little over a month ago and is doing really well! To ease myself into the New Year, I thought I'd start with a nice, simple blog to outline the scoring criteria for each grade.

 

securityheaders.io

I launched the original version of securityheaders.io almost a year ago and whilst fairly basic, it was functional and gave feedback on various HTTP response headers. For the second version I wanted to go a step further and I really loved the A+ through F grading system on the SSL Test built by Ivan Ristić, so I wanted to implement something similar. That is now up and running and you can head over and see the various scores that you can achieve, along with examples of them, on the main page.

Security Headers main page

 

Scoring

Given that the site seems to be gaining some traction, and based on feedback I've received, I wanted to open up the scoring criteria so it was a little more transparent. The scoring is fairly simple as there are only 4 headers I'm currently checking for over HTTP connections and 6 over HTTPS connection for now.

HTTP headers

  • CSP
  • XFO
  • XCTO
  • XXSSP

HTTPS additional headers

  • STS
  • PKP

 

This results in the following scoring matrix which you can view in full on Google Docs here and contains various examples.

scoring matrix

 

Feedback

In the near future I'm looking at adding support for other headers like the set-cookie header, to check for flags like secure and httpOnly, and the access-control-allow-origin header too. If you have any feedback, suggestions, ideas or comments, please drop them in the comment section below!

 

Scott.
Short URL: https://scotthel.me/stsh

 

Author image
About Scott
Researcher, blogger and international speaker. I'm the creator of report-uri.io and securityheaders.io, free tools to help improve online security.