Website security score explained
If you run a WebPageTest scan, you get a security score.
What is this score measuring and how are we calculating it?
What is WebPageTest?
WebPageTest is a service that runs a free website speed test from multiple locations around the globe using real browsers, providing website performance metrics that help developers tune their websites.
In order to get a security score and test website security, head over to WebPageTest, type in your website address, and hit the Start Test button—you’ll get a security score, once the scan is complete.
To explain the security score, I scanned the website
https://www.foxnews.com and, as you can see in the picture below, that website scored a grade of E, showing that there’s much to fix:
But what exactly is the issue and why did this website get an
If you click on the score you’ll see more detailed results of the issues on the Snyk results page:
As you can see, the scores are based on two core metrics:
- Security headers, in which we check which HTTP security headers have been set for the website, and those which are missing but recommended to turn on.
Website security check
What does it mean when a website is not secure?
Before we jump into how we calculate the score, let’s elaborate on the metrics that we measure on the page:
HTTP security headers
In the above picture showing the detailed results on the Snyk page we can see that one HTTP security header was used,
strict-transport-security—read more about this on the MDN developer pages. Yet the website we tested lacks the following security headers:
How do we score a website security scan?
The highest grade you can get is an A+ and the lowest is an F. The grades are composed based on the following score:
- A+ for a score equal to or higher than 95
- A for a score equal to or higher than 75
- B for a score equal to or higher than 60
- C for a score equal to or higher than 50
- D for a score equal to or higher than 29
- E for a score equal to or higher than 14
- F for a score equal to or higher than 0
Security headers are scored as follows:
- Content-Security-Policy adds 25 points
- X-Frame-Options adds 20 points
- X-XSS-Protection adds 20 points
- X-Content-type-options adds 20 points
- Strict-transport-security adds 25 points, only if the website tested is on HTTPS
- When at least one library is found vulnerable:
- high severity vulnerabilities, drop the score to 70
- every medium severity vulnerability drops the score by 25 points
- every low severity vulnerability drops the score by 20 points
If you don’t already have a Snyk account, sign up for free and use Snyk to scan open source dependencies, such as npm packages that you use to build your web applications and ensure you are free of security vulnerabilities. Snyk monitors and will also send you alerts as well as automatically open pull requests to fix the issues.