Website Health Score Methodology
How we calculate the health score for websites
Overview
The Website Health Score is calculated out of 100 points across six categories. Each category evaluates different aspects of a website's security, performance, and infrastructure.
1. HTTPS (20 points)
HTTPS ensures encrypted communication between the browser and server, protecting data in transit.
| Criteria | Points | Description |
|---|---|---|
| HTTPS Enabled | +20 | Website loads over HTTPS protocol |
2. SSL Certificate (20 points)
Valid SSL certificates ensure the website's identity is verified and encryption is properly configured.
| Criteria | Points | Description |
|---|---|---|
| Valid Certificate | +10 | Certificate is valid and trusted by browsers |
| Expiry >30 days | +10 | Certificate won't expire soon |
| Expiry 7-30 days | +5 | Certificate expiring soon (warning) |
| Expiry <7 days | +0 | Certificate about to expire (critical) |
3. Security Headers (25 points)
HTTP security headers protect against common web vulnerabilities like XSS, clickjacking, and MIME sniffing.
| Header | Points | Protection Against |
|---|---|---|
| Strict-Transport-Security (HSTS) | +5 | Forces HTTPS, prevents downgrade attacks |
| Content-Security-Policy (CSP) | +5 | XSS attacks, code injection |
| X-Frame-Options | +4 | Clickjacking attacks |
| X-Content-Type-Options | +4 | MIME type sniffing |
| Referrer-Policy | +4 | Information leakage via referrer |
| Permissions-Policy | +3 | Controls browser features access |
4. Response (15 points)
Server response quality indicates availability and performance.
| Criteria | Points | Description |
|---|---|---|
| HTTP Status 2xx/3xx | +7 | Successful response or redirect |
| Response Time <1s | +8 | Excellent performance |
| Response Time 1-2s | +6 | Good performance |
| Response Time 2-5s | +3 | Acceptable performance |
| Response Time >5s | +0 | Poor performance |
5. DNS Hygiene (15 points)
Proper DNS configuration indicates professional setup and email authentication.
| Record | Points | Purpose |
|---|---|---|
| SPF Record | +5 | Email sender authentication, prevents spoofing |
| DMARC Record | +5 | Email authentication policy, reporting |
| MX Records | +3 | Email infrastructure configured |
| NS Redundancy (2+) | +2 | Multiple nameservers for reliability |
6. Infrastructure (5 bonus points)
Using a CDN or WAF indicates professional infrastructure and additional protection.
| Criteria | Points | Description |
|---|---|---|
| CDN/WAF Detected | +5 | Cloudflare, CloudFront, Akamai, Fastly, Varnish |
Score Summary
| Category | Max Points |
|---|---|
| HTTPS | 20 |
| SSL Certificate | 20 |
| Security Headers | 25 |
| Response | 15 |
| DNS Hygiene | 15 |
| Infrastructure | 5 |
| Total | 100 |
Data Sources
- HTTP/HTTPS: Direct fetch from background script
- Headers: Parsed from HTTP response headers
- DNS Records: Google Public DNS API (dns.google)
- IP/Hosting Info: ip-api.com geolocation service
- SSL Details: ssl-checker.io API (when available)
Limitations
- SSL certificate details depend on external API availability
- DMARC records require subdomain lookup (_dmarc.domain); we check main TXT records
- Technology detection is based on HTTP headers only (can be spoofed or hidden)
- Response time varies based on your network connection
- Some security headers may be set by CDN/proxy and not origin server