It is difficult to assign an objective value to a subjective question such as "How bad is not implementing HTTP Strict Transport Security?" In addition, what may be unnecessary for one site — such as implementing Content Security Policy — might mitigate important risks for another. The scores and grades offered by the Mozilla Observatory are designed to alert developers when they're not taking advantage of the latest web security features. Individual developers will need to determine which ones are appropriate for their sites.
This page outlines the scoring methodology and grading system Observatory uses, before listing all of the specific tests along with their score modifiers.
All websites start with a baseline score of 100, which is then modified with penalties and/or bonuses resulting from the tests. The scoring is done across two rounds:
Each site tested by Observatory is awarded a grade based on its final score after the two rounds. The minimum score is 0, and the highest possible score in the HTTP Observatory is currently 145.
| Scoring Range | Grade |
|---|---|
| 100+ | A+ |
| 90-99 | A |
| 85-89 | A- |
| 80-84 | B+ |
| 70-79 | B |
| 65-69 | B- |
| 60-64 | C+ |
| 50-59 | C |
| 45-49 | C- |
| 40-44 | D+ |
| 30-39 | D |
| 25-29 | D- |
| 0-24 | F |
The letter grade ranges and modifiers are essentially arbitrary, however, they are based on feedback from industry professionals on how important passing or failing a given test is likely to be.
Note: Over time, the modifiers may change as baselines shift or new cutting-edge defensive security technologies are created. The bonuses (positive modifiers) are specifically designed to encourage people to adopt new security technologies or tackle difficult implementation challenges.