Website Health Score Methodology

Overview

The Website Health Score is calculated out of 100 points across six categories. Each category evaluates different aspects of a website's security, performance, and infrastructure.

A score of 80+ is considered Excellent, 60-79 is Good, 40-59 is Fair, and below 40 Needs Improvement.

1. HTTPS (20 points)

HTTPS ensures encrypted communication between the browser and server, protecting data in transit.

Criteria	Points	Description
HTTPS Enabled	+20	Website loads over HTTPS protocol

2. SSL Certificate (20 points)

Valid SSL certificates ensure the website's identity is verified and encryption is properly configured.

Criteria	Points	Description
Valid Certificate	+10	Certificate is valid and trusted by browsers
Expiry >30 days	+10	Certificate won't expire soon
Expiry 7-30 days	+5	Certificate expiring soon (warning)
Expiry <7 days	+0	Certificate about to expire (critical)

3. Security Headers (25 points)

HTTP security headers protect against common web vulnerabilities like XSS, clickjacking, and MIME sniffing.

Header	Points	Protection Against
Strict-Transport-Security (HSTS)	+5	Forces HTTPS, prevents downgrade attacks
Content-Security-Policy (CSP)	+5	XSS attacks, code injection
X-Frame-Options	+4	Clickjacking attacks
X-Content-Type-Options	+4	MIME type sniffing
Referrer-Policy	+4	Information leakage via referrer
Permissions-Policy	+3	Controls browser features access

4. Response (15 points)

Server response quality indicates availability and performance.

Criteria	Points	Description
HTTP Status 2xx/3xx	+7	Successful response or redirect
Response Time <1s	+8	Excellent performance
Response Time 1-2s	+6	Good performance
Response Time 2-5s	+3	Acceptable performance
Response Time >5s	+0	Poor performance

5. DNS Hygiene (15 points)

Proper DNS configuration indicates professional setup and email authentication.

Record	Points	Purpose
SPF Record	+5	Email sender authentication, prevents spoofing
DMARC Record	+5	Email authentication policy, reporting
MX Records	+3	Email infrastructure configured
NS Redundancy (2+)	+2	Multiple nameservers for reliability

Note: DMARC records are typically at _dmarc.domain.com subdomain. Our check looks for DMARC in main domain TXT records.

6. Infrastructure (5 points bonus)

Using a CDN or WAF indicates professional infrastructure and additional protection.

Criteria	Points	Description
CDN/WAF Detected	+5	Cloudflare, CloudFront, Akamai, Fastly, Varnish

Score Summary

Category	Max Points
HTTPS	20
SSL Certificate	20
Security Headers	25
Response	15
DNS Hygiene	15
Infrastructure	5
Total	100

Data Sources

HTTP/HTTPS: Direct fetch from background script
Headers: Parsed from HTTP response headers
DNS Records: Google Public DNS API (dns.google)
IP/Hosting Info: ip-api.com geolocation service
SSL Details: ssl-checker.io API (when available)

Limitations

SSL certificate details depend on external API availability
DMARC records require subdomain lookup (_dmarc.domain); we check main TXT records
Technology detection is based on HTTP headers only (can be spoofed or hidden)
Response time varies based on your network connection
Some security headers may be set by CDN/proxy and not origin server