The importance of security should be straightforward, it is meant to keep you safe from cyberattacks. This report is the place where you can improve in order to keep your page as secure as possible.
See how Wattspeed checks your security and why it is so important.
HTTP headers strengthen a website's security. They help prevent cross-scripting attacks and other threats.
Security headers can prevent or restrict what the browser is allowed to do. Limiting browser functionality is not meant to restrict your application, but rather make sure the content is loaded only from intended sources and that overall the application performs the way it was supposed to.
- Strict-Transport-Security: HSTS header forces browsers to access the website through HTTPS.
- Content-Security-Policy: CSP header defines allowed sources by content type (e.g. text, images), helping against certain types of attacks, like Cross-Site Scripting (XSS) and data injection attacks.
- X-Frame-Options: XFO header indicates whether the website allows the browser to render its pages in a frame. Blocking framing avoids clickjacking attacks. The frame-ancestors directive defined in Content-Security-Policy obsoletes this header for supporting browsers.
- X-Content-Type-Options: Server uses this marker to specify that the MIME types used in the Content-Type headers should be respected and not be changed to avoid MIME type sniffing.
- Referrer-Policy:controls which referrer information should be included with the requests.
- Permissions-Policy: has the ability to allow or block browser features and APIs (e.g. access the camera, Geolocation).
How we calculate your security headers score
Security scans for a list of 6 response headers, and it checks whether a certain header was sent by the server. Points are rewarded based on the severity of the headers which are set, except for the Strict-Transport-Security header, which is excluded over an HTTP connection.
The highest grade you can get is an A+ and the lowest is an F.
- A+ for a score equal to or higher than 100
- A for a score equal to or higher than 75
- B for a score equal to or higher than 60
- C for a score equal to or higher than 50
- D for a score equal to or higher than 20
- E for a score equal to or higher than 10
- F for a score equal to or higher than 0
Security headers are scored as follows:
- Strict-Transport-Security adds 25 points
- Content-Security-Policy adds 25 points
- X-Frame-Options adds 20 points
- X-Content-Type-Options adds 10 points
- Referrer-Policy adds 10 points
- Permissions-Policy adds 10 points
Information about the certificate chain and validity.
Testing SSL involves a series of checks, where the main targeted aspects are the certificate chain and server configuration (protocols & ciphers).
How do we score a website's SSL scan?
The standard grading is from A+ to F, however there is an additional grade (T) when a certificate is not trusted. Certificates act as a proof of identity for a server and are used to confirm whether communication endpoints are really who they say they are. Failing to do so can render the whole security of the connection vulnerable (man-in-the-middle attack), regardless of having a good server configuration or not.
Grades are awarded as follows: A+ for a score equal to or higher than 95 A for a score equal to or higher than 80 B for a score equal to or higher than 65 C for a score equal to or higher than 50 D for a score equal to or higher than 35 E for a score equal to or higher than 20 F for a score equal to or higher than 0
An incorrect certificate will bring the total score to 0