Methodology

How the grade works.

A grade is only worth something if you can see how it was reached. Here's the whole method, plainly.

What I look at

Only what your site serves to the public: response headers, the HTML and JavaScript your pages ship, and the transport it's served over. I don't log in, I don't probe, I don't send anything a normal visitor's browser wouldn't. That's a deliberate line — this grade is a checkup from the outside, not an intrusion.

How the score is built

  • Each check that fires deducts points based on its severity, a per-check weight, and my confidence in the signal.
  • Because this is an outside-only checkup, confidence is capped at "observed" — so a free grade never deducts as if it had proof it doesn't have.
  • Deductions roll up into category sub-scores and a single 0–100, which maps to a letter grade on fixed bands (A ≥ 90, B ≥ 80, C ≥ 70, D ≥ 60, else F).

Why a grade might change

Every scan records the engine and rubric version it ran under. If I change the rubric, that's a versioned change — not a silent one — so a score only moves because your site moved or because I've told you the rubric did.

What this grade is not

It is not a statement that your site is compromised. It highlights risk patterns visible from outside. Some findings — for example a public API key that's meant to be public — are only a real problem in combination with things I can't see from here without your permission. Where that's the case, I say so rather than overstating it.

The full check catalog — every check, its severity, and its remediation — is available from the API at /v1/checks. The rubric is meant to be inspectable.