methodology
How the score works
A short, plain explanation of the big letter at the top of every report.
tl;dr
The big letter, in plain English
Each scanner gives its own grade or score. We turn every grade into a number from 0 to 100, skip the scanners that could not give a number, then average the rest.
The big letter at the top of every report is that average, translated back into a letter using a fixed table.
So the big letter is our summary, not a single official rating. The per-scanner table is the real source of truth. The big letter is just a one-glance read.
letters to numbers
How letter grades become numbers
Some scanners return a number directly (Mozilla Observatory, for example). Others return a letter (SSL Labs, securityheaders.com, our own). For the letter ones, we convert with this fixed table:
| Letter | Number |
|---|---|
| A+ | 100 |
| A | 95 |
| A- | 90 |
| B+ | 85 |
| B | 80 |
| B- | 75 |
| C+ | 70 |
| C | 65 |
| C- | 60 |
| D+ | 55 |
| D | 50 |
| D- | 45 |
| E | 40 |
| F / T / M | 0 |
averaging
How we combine scanners into one number
We take a plain average (mean) of every scanner that gave us a number. Two kinds of scanners are skipped:
- Link-out scanners. Some sites (like internet.nl) do not expose a free public API, so we can only point you at their website. They cannot give us a number, so they do not count.
- Failed scanners. Network timeout, malformed response, third-party rate-limit. They do not count either, and they are flagged in the report.
If no scanner gave us a number at all, the report says No graded scanners returned a score. instead of inventing a letter.
number back to letter
How the average becomes the big letter
We round the average to the nearest whole number, then read it off this ladder:
| Number | Letter |
|---|---|
| 95 or more | A+ |
| 90 to 94 | A |
| 85 to 89 | A- |
| 80 to 84 | B+ |
| 75 to 79 | B |
| 70 to 74 | B- |
| 65 to 69 | C+ |
| 60 to 64 | C |
| 55 to 59 | C- |
| 50 to 54 | D+ |
| 45 to 49 | D |
| 40 to 44 | D- |
| under 40 | F |
caveats
What the big letter does not tell you
- Every scanner counts the same. A broken TLS stack and a missing
Permissions-Policyheader pull the average by the same weight. Read the per-scanner table for the real picture. - Different scanners measure different things. An A+ from one scanner is not the same as an A+ from another. The number ladder is the same; what they look at is not.
- Link-out scanners do not pull the average down. They are simply absent from it. The report calls them out separately.
- It is a snapshot. Run the same scan tomorrow and the letter can move: a scanner could be rate-limited, the site could change, certificates expire.
- It is our number, not theirs. The big letter is computed locally by this tool. None of the third-party scanners we query has endorsed it.