HTTP Observatory Scoring Methodology
It is difficult to assign an objective value to a subjective question such as "How bad is not implementing HTTP Strict Transport Security?" In addition, what may be unnecessary for one site — such as implementing Content Security Policy — might mitigate important risks for another. The scores and grades offered by the Mozilla Observatory are designed to alert developers when they're not taking advantage of the latest web security features. Individual developers will need to determine which ones are appropriate for their sites.
This page outlines the scoring methodology and grading system Observatory uses, before listing all of the specific tests along with their score modifiers.
Scoring Methodology
All websites start with a baseline score of 100, which is then modified with penalties and/or bonuses resulting from the tests. The scoring is done across two rounds:
- The baseline score has the penalty points deducted from it.
- If the resulting score is 90 (A) or greater, the bonuses are then added to it. You can think of the bonuses as extra credit for going above and beyond the call of duty in defending your website.
Each site tested by Observatory is awarded a grade based on its final score after the two rounds. The minimum score is 0, and the highest possible score in the HTTP Observatory is currently 145.
Grading Chart
Scoring Range | Grade |
---|---|
100+ | A+ |
90-99 | A |
85-89 | A- |
80-84 | B+ |
70-79 | B |
65-69 | B- |
60-64 | C+ |
50-59 | C |
45-49 | C- |
40-44 | D+ |
30-39 | D |
25-29 | D- |
0-24 | F |
The letter grade ranges and modifiers are essentially arbitrary, however, they are based on feedback from industry professionals on how important passing or failing a given test is likely to be.
Tests and Score Modifiers
Note: Over time, the modifiers may change as baselines shift or new cutting-edge defensive security technologies are created. The bonuses (positive modifiers) are specifically designed to encourage people to adopt new security technologies or tackle difficult implementation challenges.
Content Security Policy (CSP)
See Content Security Policy (CSP) for guidance.
Test result | Description | Modifier |
---|---|---|
csp-implemented-with-no-unsafe-default-src-none |
Content Security Policy (CSP) implemented with | 10 |
csp-implemented-with-no-unsafe |
Content Security Policy (CSP) implemented without | 5 |
csp-implemented-with-unsafe-inline-in-style-src-only |
Content Security Policy (CSP) implemented with unsafe sources inside style-src. This includes | 0 |
csp-implemented-with-insecure-scheme-in-passive-content-only | Content Security Policy (CSP) implemented, but secure site allows images or media to be loaded over HTTP | -10 |
csp-implemented-with-unsafe-eval |
Content Security Policy (CSP) implemented, but allows | -10 |
csp-implemented-with-unsafe-inline |
Content Security Policy (CSP) implemented unsafely. This includes | -20 |
csp-implemented-with-insecure-scheme | Content Security Policy (CSP) implemented, but secure site allows resources to be loaded over HTTP | -20 |
csp-implemented-but-duplicate-directives | Content Security Policy (CSP) implemented, but contains duplicate directives. | 0 |
csp-header-invalid | Content Security Policy (CSP) header cannot be parsed successfully | -25 |
csp-not-implemented | Content Security Policy (CSP) header not implemented | -25 |
csp-not-implemented-but-reporting-enabled |
Content Security Policy (CSP) reporting implemented only, with | -25 |
Cookies
See Cookies for guidance.
Test result | Description | Modifier |
---|---|---|
cookies-secure-with-httponly-sessions-and-samesite |
All cookies use the | 5 |
cookies-secure-with-httponly-sessions |
All cookies use the | 0 |
cookies-not-found | No cookies detected | 0 |
cookies-without-secure-flag-but-protected-by-hsts |
Cookies set without using the | -5 |
cookies-session-without-secure-flag-but-protected-by-hsts |
Session cookie set without the | -10 |
cookies-without-secure-flag |
Cookies set without using the | -20 |
cookies-samesite-flag-invalid |
Cookies use | -20 |
cookies-anticsrf-without-samesite-flag |
Anti-CSRF tokens set without using the | -20 |
cookies-session-without-httponly-flag |
Session cookie set without using the | -30 |
cookies-session-without-secure-flag | Session cookie set without using the Secure flag or set over HTTP. | -40 |
Cross Origin Resource Sharing (CORS)
See Cross Origin Resource Sharing (CORS) for guidance.
Test result | Description | Modifier |
---|---|---|
cross-origin-resource-sharing-not-implemented | Content is not visible via cross-origin resource sharing (CORS) files or headers. | 0 |
cross-origin-resource-sharing-implemented-with-public-access |
Public content is visible via cross-origin resource sharing (CORS) | 0 |
cross-origin-resource-sharing-implemented-with-restricted-access | Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains. | 0 |
cross-origin-resource-sharing-implemented-with-universal-access | Content is visible via cross-origin resource sharing (CORS) file or headers, and credentials can be sent. Your site could be vulnerable to CSRF attacks. | -50 |
Redirection
See Redirection for guidance.
Test result | Description | Modifier |
---|---|---|
redirection-all-redirects-preloaded | All hosts redirected to are in the HTTP Strict Transport Security (HSTS) preload list. | 0 |
redirection-to-https | Initial redirection is to HTTPS on same host, final destination is HTTPS | 0 |
redirection-not-needed-no-http | Not able to connect via HTTP, so no redirection necessary. | 0 |
redirection-off-host-from-http | Initial redirection from HTTP to HTTPS is to a different host, preventing HSTS. | -5 |
redirection-not-to-https-on-initial-redirection | Redirects to HTTPS eventually, but initial redirection is to another HTTP URL. | -10 |
redirection-not-to-https | Redirects, but final destination is not an HTTPS URL. | -20 |
redirection-missing | Does not redirect to an HTTPS site. | -20 |
redirection-invalid-cert | Invalid certificate chain encountered during redirection. | -20 |
Referrer Policy
See Referrer Policy for guidance.
Test result | Description | Modifier |
---|---|---|
referrer-policy-private |
| 5 |
referrer-policy-not-implemented |
| 0 |
referrer-policy-unsafe |
| -5 |
referrer-policy-header-invalid |
| -5 |
Strict Transport Security (HSTS)
See Strict Transport Security (HSTS) for guidance.
Test result | Description | Modifier |
---|---|---|
hsts-preloaded | Preloaded via the HTTP Strict Transport Security (HSTS) preloading process. | 5 |
hsts-implemented-max-age-at-least-six-months |
| 0 |
hsts-implemented-max-age-less-than-six-months |
| -10 |
hsts-not-implemented |
| -20 |
hsts-header-invalid |
| -20 |
hsts-not-implemented-no-https |
| -20 |
hsts-invalid-cert |
| -20 |
Subresource Integrity
See Subresource Integrity for guidance.
Test result | Description | Modifier |
---|---|---|
sri-implemented-and-all-scripts-loaded-securely | Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin. | 5 |
sri-implemented-and-external-scripts-loaded-securely | Subresource Integrity (SRI) is implemented and all scripts are loaded securely. | 5 |
sri-not-implemented-response-not-html | Subresource Integrity (SRI) is only needed for HTML resources. | 0 |
sri-not-implemented-but-no-scripts-loaded | Subresource Integrity (SRI) is not needed since site contains no script tags. | 0 |
sri-not-implemented-but-all-scripts-loaded-from-secure-origin | Subresource Integrity (SRI) not implemented, but all scripts are loaded from a similar origin. | 0 |
sri-not-implemented-but-external-scripts-loaded-securely | Subresource Integrity (SRI) not implemented, but all external scripts are loaded over HTTPS. | -5 |
sri-implemented-but-external-scripts-not-loaded-securely |
Subresource Integrity (SRI) implemented, but external scripts are loaded over HTTP or use protocol-relative URLs via | -20 |
sri-not-implemented-and-external-scripts-not-loaded-securely |
Subresource Integrity (SRI) not implemented, and external scripts are loaded over HTTP or use protocol-relative URLs via | -50 |
X-Content-Type-Options
See X-Content-Type-Options for guidance.
Test result | Description | Modifier |
---|---|---|
x-content-type-options-nosniff |
| 0 |
x-content-type-options-header-invalid |
| -5 |
x-content-type-options-not-implemented |
| -5 |
X-Frame-Options
See X-Frame-Options for guidance.
Test result | Description | Modifier |
---|---|---|
x-frame-options-implemented-via-csp |
| 5 |
x-frame-options-sameorigin-or-deny |
| 0 |
x-frame-options-allow-from-origin |
| 0 |
x-frame-options-not-implemented |
| -20 |
x-frame-options-header-invalid |
| -20 |
Cross Origin Resource Policy
See Cross Origin Resource Policy for guidance.
Test result | Description | Modifier |
---|---|---|
corp-not-implemented |
Cross Origin Resource Policy (CORP) is not implemented (defaults to | 0 |
corp-implemented-with-same-origin | Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-origin contexts. | 10 |
corp-implemented-with-same-site | Cross Origin Resource Policy (CORP) implemented, prevents leaks into cross-site contexts. | 10 |
corp-implemented-with-cross-origin | Cross Origin Resource Policy (CORP) implemented, but allows cross-origin resource sharing by default. | 0 |
corp-header-invalid | Cross-Origin-Resource-Policy (CORP) header cannot be recognized. | -5 |