Scoring
Scoring
This document describes how sites are graded and scored.
Letter grade
The letter grade is determined first, then a numeric
score (ratingInt) is computed from the grade plus
success/failure bonuses.
Grades are assigned top-down; the first matching rule wins.
| Grade | Condition |
|---|---|
| Z | No TLS at all |
| T | Expired, self-signed, hostname mismatch, or untrusted certificate |
| F | RSA key < 1024 bits |
| F | No TLS 1.2 or 1.3 (legacy only) |
| C | SHA1 certificate |
| B | RSA key < 2048 bits |
| B | Cipher strength < 128 bits |
| B | TLS 1.0 or 1.1 supported |
| B | RC4 supported |
| A+ | PFS + no Sweet32 + no key compromise + HSTS (long max-age) + TLS 1.3 |
| A | PFS + no Sweet32 + no key compromise |
| A- | Everything else (modern TLS but minor issues) |
EC and Ed25519 keys are not penalized for size (different security model than RSA).
Numeric score (ratingInt)
The base score starts from the letter grade:
base = 100 * ASCII(grade[0])
A+ → 6500 - 50 = 6450
A → 6500
A- → 6500 + 50 = 6550
B → 6600
...
Then adjustments are applied:
ratingInt = base
- successScore
+ failureScore
+ softwarePenalty
Lower ratingInt is better.
Success score (subtracted from base)
Each success subtracts points (improving the score).
| JSON field | Points | Description |
|---|---|---|
autoRedirectsToSsl | 1 | HTTP → HTTPS redirect |
certificateOrgMatchesRealOrganization | 1 | Cert org matches site org |
contentSecurityPolicySuccess | 2 | CSP header present |
daneTlsa | 1 | DANE/TLSA records exist |
dnsCaa | 1 | DNS CAA records present |
dnsSecSupported | 1 | DNSSEC validated (AD flag) |
hpkpSuccess | 1 | HPKP (deprecated, legacy) |
hstsSuccess | 1 | HSTS with max-age ≥ 6 months |
hstsPreloaded | 1 | On HSTS preload list |
ipv6Supported | 1 | AAAA record exists |
ocspStaplingSuccess | 1 | OCSP stapling enabled |
pfsSuccess | 1 | Forward secrecy supported |
securityTxtSuccess | 1 | security.txt present |
tls12Success | 1 | TLS 1.2 supported |
tls13Success | 1 | TLS 1.3 supported |
validationType = "E" | 2 | EV certificate |
validationType = "D" | 1 | DV certificate |
Failure score (added to base)
Each failure adds points (worsening the score).
| JSON field | Points | Description |
|---|---|---|
bleichenbacherVulnerably | 1 | Bleichenbacher |
diffieVulnerably | 1 | Weak DH params |
drownVulnerably | 1 | DROWN |
freakVulnerably | 1 | FREAK |
goldenDoodleVulnerable | 1 | GOLDENDOODLE |
heartbleedVulnerably | 1 | Heartbleed |
keyCompromiseImpersonationVulnerably | 1 | Key compromise |
logJamVulnerably | 1 | Logjam |
openSslCcsVulnerably | 1 | OpenSSL CCS |
openSslLuckyMinus20Vulnerably | 1 | Lucky Minus 20 |
poodleVulnerably | 1 | POODLE |
rc4Vulnerably | 1 | RC4 |
sha1Vulnerably | 1 | SHA1 signature |
sleepingPoodleVulnerable | 1 | Sleeping POODLE |
ssl2Vulnerably | 1 | SSL 2.0 |
ssl3Vulnerably | 1 | SSL 3.0 |
sweet32Vulnerably | 1 | Sweet32 |
ticketbleedVulnerably | 1 | Ticketbleed |
tls10Vulnerably | 1 | TLS 1.0 supported |
tls11Vulnerably | 1 | TLS 1.1 supported |
zeroLengthPaddingOracleVulnerable | 1 | Zero-length padding |
zombiePoodleVulnerable | 1 | Zombie POODLE |
Software penalty (added to base)
| Condition | Points |
|---|---|
serverSoftwareIsOutdated | +25 |
serverSoftwareIsOld | +50 |
Informational fields (no scoring)
These fields are present in the JSON but do not affect the score directly:
| JSON field | Description |
|---|---|
certExpired | Certificate is expired (caps grade to T) |
certSelfSigned | Certificate is self-signed (caps grade to T) |
certHostnameMismatch | Hostname mismatch (caps grade to T) |
certUntrusted | Untrusted root CA (caps grade to T) |
chainIssues | Chain problems (array of strings) |
certKeyType | Key type (RSA, ECDSA, Ed25519) |
certKeySize | Key size in bits |
cipherStrength | Symmetric cipher bits |
hstsHeader | Parsed HSTS header (maxAge, includeSubDomains, preload) |
keyExchangeCurveName | ECDHE curve name (e.g. X25519, P-256) |
sessionResumptionSuccess | Session resumption works |
sessionTicketSupported | Session ticket support |
sessionIDSupported | Session ID support |