Security Header Ratings

Table of Contents

Explanation

Security Header Ratings allow an objective assessment about the website's condition in terms of the security of the HTTP response headers. By adding and configuring security headers according to best practices, another layer of security will strengthen a website's protection. In Nimbusec Discovery, a new column within the report overview - consisting of grade A-F - evaluates the scanned security headers of a website.

The implementation is based on Mozilla Observatory. The detailed scoring is described in their Github repo: Scoring.md. That means we stick to Mozillas rating and scoring method.

Every scanned domain starts with a base score of 100. According to Mozilla's scoring method points are added for special configurations or subtracted if they are missing or insecure.

This generates a score which then can be mapped to a grade according to the following table:

Scoring Range Grade
100+ A+
90-99 A
85-89 A-
80-84 B+
70-79 B
65-69 B-
60-64 C+
50-59 C
45-49 C-
40-44 D+
30-39 D
25-29 D-
0-24 F

Looks in Discovery

The new column in Discovery shows the Grade from A+ to F for every discovered domain, where a rating was possible. Discovery Overview

Clicking on the grade will show the details how we measured the rating. On the details page you will see the reached score and all factors used to calculate it.

Discovery Details

On the new analysis page you can filter for websites passing and/or failing specific tests. That will help you to focus on the most important websites first.

Still need help? Get in touch!
Last updated on 12th Apr 2019