Free Online Tool

Website Security Scorecard

Enter any public website to get an instant A-F security audit. We check SSL, HTTPS, security headers, and response health in parallel.

Note about big platforms

Sites like google.com, facebook.com, and youtube.com may show artificially low scores. They use the HSTS preload list (HSTS hardcoded into browsers, not in response headers) and aggressive bot detection that hides headers from automated scanners. The scorecard is most accurate on regular websites you control or want to audit. Try cloudflare.com, mozilla.org, or your own domain for a representative result.

What this scorecard checks

The Website Security Scorecard runs four parallel checks against any public website and combines the results into a single A-F grade. It's a quick way to spot common security issues before an attacker does.

SSL certificate (30 points): certificate validity, issuer, and SSL Labs grade.
Security headers (40 points): HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
HTTPS enforcement (20 points): response code is healthy and the final URL is HTTPS.
Response time (10 points): server responds in under 1 second.

Total score is mapped to a letter grade: 90+ A+, 80+ A, 70+ B, 60+ C, 50+ D, below 50 F.

How to use

Enter a public domain such as example.com or a full URL.
Click Run Security Audit.
Review the overall grade and four sub-scores.
Use the issue list at the bottom to fix specific gaps.

FAQ

How is the grade calculated?

The scorecard combines four checks: SSL grade (30 points), security headers presence (40 points), HTTPS health (20 points), and response time (10 points). Total 100 points, mapped to A+, A, B, C, D, F.

Why does an SSL audit take 10 seconds?

SSL Labs runs detailed certificate and protocol checks server-side. The first scan can take 5-15 seconds. If results are not ready, run the audit again shortly.

Are my results stored?

No. The scorecard runs each check on demand and does not persist any data. SSL Labs caches public scan results for a short period to speed up repeat checks.

Why is my SSL grade missing?

SSL Labs sometimes needs time to complete the first scan of a domain. Wait a few seconds and re-run the audit. Other checks (headers, HTTPS, response time) still work even if SSL is pending.

What if my site is internal or behind a firewall?

The scorecard only checks public websites. Internal, private, or VPN-only sites cannot be audited from a public scanner.