DruxAI
DruxShield

Methodology

A grade you can't interrogate is marketing, not measurement. This page documents exactly how the free domain security scan computes its A–F grade — the same logic that runs every scan, so it can't drift from what's described here.

What's checked

Security response headers, SSL/TLS setup, DNS-based email authentication (SPF/DMARC), bot-protection/WAF presence, server information exposure, IP reputation (with a CDN-aware exception — see below), WordPress-specific exposure checks when applicable, and response time. Everything below the score is transparent in the report itself: every deduction has a labeled reason.

Grading is quality-based, not presence-based

A header existing doesn't mean it's protecting anything. A naive scanner treats "SPF record found" as a pass — even if that record is v=spf1 +all, which explicitly permits any server to send email as you. That's not a partial pass; it's worse than having no SPF record at all, because it looks configured while providing zero protection. We parse the actual policy:

SPF — graded by the terminal mechanism

-all (hard fail) and ~all (soft fail) pass cleanly. ?all (neutral) is a warning. +all (anyone may send) is flagged critical — explicitly called out as worse than no record.

DMARC — graded by enforcement policy

p=reject and p=quarantine at 100% pass. p=none is flagged as monitor-only — it collects reports but enforces nothing. Partial enforcement (pct= below 100) is noted explicitly.

CSP — graded by directive strength

A policy present but including unsafe-inline, unsafe-eval, or a wildcard source is flagged as "present but weakened," not a clean pass. Still better than nothing — just not treated as equivalent to a strict nonce/hash-based policy.

HSTS — graded by max-age and scope

A max-age under ~6 months is flagged as too short to meaningfully protect against downgrade attacks, even though the header is technically present. Missing includeSubDomains is noted as a minor gap, not a failure.

Point deductions

Grade starts at 100 and deducts per finding. Most critical findings cost 18 points, warnings cost 7 — but not every "critical" gap costs the same:

HeaderWeightWhy
HTTPS enabledCritical · 18 ptsCheap to fix, no downside — full weight.
HSTSCritical · 18 ptsQuality-graded: max-age must be ≥ 6 months, includeSubDomains checked.
X-Frame-OptionsCritical · 18 ptsCheap to fix, no downside — full weight.
Content-Security-PolicyCritical · 12 ptsGenuinely critical, but the header most legitimately hard to deploy correctly on a complex site — see below.
X-Content-Type-Options, Referrer-Policy, Permissions-PolicyWarning · 7 pts eachReal gaps, lower severity.

Why CSP is weighted lower than HTTPS/HSTS/X-Frame-Options despite being "critical": missing HTTPS is close to indefensible in 2026 — certificates are free, and there's no legitimate reason not to have it. A correct CSP, by contrast, is genuinely difficult on any site with third-party analytics, ads, embeds, or widgets — treating "no CSP" as identically severe to "no HTTPS" overstates the gap and reads as unfair to a security-literate reader. We still count it as critical (it matters), just not at the same weight.

CDN-aware IP reputation

A resolved DNS A record often isn't the site's own server — for any domain behind Cloudflare, Akamai, Fastly, or AWS CloudFront, it's the CDN's shared edge IP. Scoring IP reputation against that address measures the CDN provider's shared-IP history, not the site owner's actual security posture — which is misleading and would unfairly penalize (or credit) a site for something entirely outside its control.

We detect this two ways: primarily via response headers (Cloudflare's cf-ray, for example), falling back to known CDN IP ranges when headers are stripped. When a CDN is detected, IP reputation is neither penalized nor credited — the report shows an explicit "Origin IP masked behind [provider]" entry instead, so it's visible as a deliberate exception, not a silent gap.

Where this sits relative to other tools

This is the same category of tool as Mozilla Observatory and SecurityHeaders.com — grading security posture from response headers and DNS records. We're not claiming certification or equivalence to either; Observatory's scoring weights are public and peer-reviewed over years, ours is our own methodology, documented here for the same reason theirs is public: so you can audit exactly why you got the grade you got. What this scan adds on top: IP threat reputation, SPF/DMARC/CMS-specific checks, and an AI-generated plain-English writeup grounded strictly in the findings above — not invented risk beyond what the data shows.

Limitations, honestly

  • A scan is a single snapshot with short timeouts — a momentary network blip or CDN challenge page can occasionally misrepresent a fine site. Re-run if a result looks off.
  • CMS detection is intentionally conservative (passive header signals only) to avoid false positives — some CMS installs won't be detected, and their admin-panel checks won't run.
  • The grade is a security-posture indicator, not a guarantee of safety or a compliance certification.

See your own grade

Run a free scan