A grade you can't interrogate is marketing, not measurement. This page documents exactly how the free domain security scan computes its A–F grade — the same logic that runs every scan, so it can't drift from what's described here.
Security response headers, SSL/TLS setup, DNS-based email authentication (SPF/DMARC), bot-protection/WAF presence, server information exposure, IP reputation (with a CDN-aware exception — see below), WordPress-specific exposure checks when applicable, and response time. Everything below the score is transparent in the report itself: every deduction has a labeled reason.
A header existing doesn't mean it's protecting anything. A naive scanner treats "SPF record found" as a pass — even if that record is v=spf1 +all, which explicitly permits any server to send email as you. That's not a partial pass; it's worse than having no SPF record at all, because it looks configured while providing zero protection. We parse the actual policy:
SPF — graded by the terminal mechanism
-all (hard fail) and ~all (soft fail) pass cleanly. ?all (neutral) is a warning. +all (anyone may send) is flagged critical — explicitly called out as worse than no record.
DMARC — graded by enforcement policy
p=reject and p=quarantine at 100% pass. p=none is flagged as monitor-only — it collects reports but enforces nothing. Partial enforcement (pct= below 100) is noted explicitly.
CSP — graded by directive strength
A policy present but including unsafe-inline, unsafe-eval, or a wildcard source is flagged as "present but weakened," not a clean pass. Still better than nothing — just not treated as equivalent to a strict nonce/hash-based policy.
HSTS — graded by max-age and scope
A max-age under ~6 months is flagged as too short to meaningfully protect against downgrade attacks, even though the header is technically present. Missing includeSubDomains is noted as a minor gap, not a failure.
Grade starts at 100 and deducts per finding. Most critical findings cost 18 points, warnings cost 7 — but not every "critical" gap costs the same:
| Header | Weight | Why |
|---|---|---|
| HTTPS enabled | Critical · 18 pts | Cheap to fix, no downside — full weight. |
| HSTS | Critical · 18 pts | Quality-graded: max-age must be ≥ 6 months, includeSubDomains checked. |
| X-Frame-Options | Critical · 18 pts | Cheap to fix, no downside — full weight. |
| Content-Security-Policy | Critical · 12 pts | Genuinely critical, but the header most legitimately hard to deploy correctly on a complex site — see below. |
| X-Content-Type-Options, Referrer-Policy, Permissions-Policy | Warning · 7 pts each | Real gaps, lower severity. |
Why CSP is weighted lower than HTTPS/HSTS/X-Frame-Options despite being "critical": missing HTTPS is close to indefensible in 2026 — certificates are free, and there's no legitimate reason not to have it. A correct CSP, by contrast, is genuinely difficult on any site with third-party analytics, ads, embeds, or widgets — treating "no CSP" as identically severe to "no HTTPS" overstates the gap and reads as unfair to a security-literate reader. We still count it as critical (it matters), just not at the same weight.
A resolved DNS A record often isn't the site's own server — for any domain behind Cloudflare, Akamai, Fastly, or AWS CloudFront, it's the CDN's shared edge IP. Scoring IP reputation against that address measures the CDN provider's shared-IP history, not the site owner's actual security posture — which is misleading and would unfairly penalize (or credit) a site for something entirely outside its control.
We detect this two ways: primarily via response headers (Cloudflare's cf-ray, for example), falling back to known CDN IP ranges when headers are stripped. When a CDN is detected, IP reputation is neither penalized nor credited — the report shows an explicit "Origin IP masked behind [provider]" entry instead, so it's visible as a deliberate exception, not a silent gap.
This is the same category of tool as Mozilla Observatory and SecurityHeaders.com — grading security posture from response headers and DNS records. We're not claiming certification or equivalence to either; Observatory's scoring weights are public and peer-reviewed over years, ours is our own methodology, documented here for the same reason theirs is public: so you can audit exactly why you got the grade you got. What this scan adds on top: IP threat reputation, SPF/DMARC/CMS-specific checks, and an AI-generated plain-English writeup grounded strictly in the findings above — not invented risk beyond what the data shows.
See your own grade
Run a free scan