Website Security Grade: What It Means and How to Improve Yours
A website security grade condenses your entire external security posture into a single letter. It tells you -- and your clients, partners, and auditors -- whether your domain's publicly visible infrastructure is properly secured. Here is what goes into the grade and how to raise yours.
What Is a Website Security Grade?
A website security grade is a letter rating from A to F that summarizes how well your domain's external infrastructure is configured for security. It works like a report card: each category of your external attack surface is scored individually, then weighted into a single composite grade.
Unlike penetration tests or vulnerability scans that look at application-level bugs, a website security grade focuses on the publicly visible infrastructure layer: your SSL certificates, DNS records, HTTP headers, email authentication, and uptime. These are the things an attacker sees first when they look at your domain, and they are the things that automated scanners check before deciding whether your domain is worth targeting.
A poor website security grade signals to attackers that your organization does not prioritize security -- making you a more attractive target. Conversely, a strong grade demonstrates security hygiene that discourages casual attackers and satisfies compliance auditors.
What Gets Measured
A comprehensive website security grade evaluates six areas of your external attack surface. Here is what Scanward checks and how each area is weighted:
SSL/TLS Certificates (25%)
Your SSL certificate is the most visible security control on your domain. The scan checks certificate validity, expiration date, certificate chain integrity, TLS protocol version (1.2 and 1.3 are current), and cipher suite strength. An expired certificate drops your grade immediately and shows visitors a browser warning. For more detail, see our SSL certificate monitoring guide.
DNS Configuration (15%)
DNS is the foundation everything else builds on. The scan inventories your records (A, AAAA, MX, CNAME, NS, TXT), checks for DNSSEC, and flags dangling CNAME records that could lead to subdomain takeover. You can run a quick check with our free DNS lookup tool.
HTTP Security Headers (20%)
Security headers instruct browsers on how to handle your content. Six headers are checked: HSTS, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Permissions-Policy, and Referrer-Policy. Missing headers leave users vulnerable to clickjacking, XSS, and MIME-type attacks. Our security headers guide covers each one, and you can test yours with our free security headers checker.
Email Authentication (25%)
SPF, DKIM, and DMARC records prevent email spoofing. Missing any of these means attackers can send emails that appear to come from your domain. This category carries heavy weight because email impersonation is one of the most common and damaging attacks. See our complete email authentication guide for setup instructions, or use our SPF generator and DMARC generator to create records.
Uptime and Performance (15%)
The scan makes HTTP requests to your domain and measures response status, latency, and redirect chains. A domain that is slow, unreachable, or has excessive redirects loses points here.
What Each Grade Means
| Grade | Score | What It Tells You |
|---|---|---|
| A | 90-100 | All major security controls are properly configured. Your external attack surface is well-hardened. |
| B+ | 80-89 | Most controls are in place. Minor gaps remain -- usually a missing security header or a DMARC policy set to none. |
| B- | 70-79 | Basics are covered but several security headers or email auth records are missing. |
| C+ | 60-69 | Multiple security controls are absent. Your domain is noticeably vulnerable. |
| C- | 50-59 | Significant gaps. Immediate attention needed to avoid becoming an easy target. |
| D | 40-49 | Critical protections are missing or broken. High risk of exploitation. |
| F | 0-39 | Fundamental security infrastructure is absent. Your domain is essentially unprotected. |
Most domains land between C+ and B+ on their first scan. An A is achievable for any domain -- it just requires having the right records and headers in place.
Check your website security grade now
Get your A-F security grade in 30 seconds. Scanward checks SSL, DNS, headers, email auth, and uptime -- completely free.
Scan Your Domain Free →How to Improve Your Website Security Grade
Here are the highest-impact fixes, ordered by how much they typically improve your grade:
1. Fix your SSL certificate
If your certificate is expired, expiring soon, or using an outdated TLS version, this is the single biggest grade improvement. Renew the certificate, enable auto-renewal, and ensure TLS 1.2+ is enforced. This alone can move you from an F to a C.
2. Add SPF, DKIM, and DMARC records
Email authentication carries 25% of the total weight. If you are missing all three records, adding them jumps your score by up to 25 points. Use our SPF generator and DMARC generator to create the DNS records, then follow our setup guide to publish them.
3. Add the six security headers
Each missing header costs you points. Adding all six headers to your web server or CDN configuration is usually a single config change. Start with the easiest wins:
# Add to your web server config
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: camera=(), microphone=(), geolocation=()
Content-Security-Policy: default-src 'self'For detailed instructions per platform, see our security headers guide.
4. Enable DNSSEC
DNSSEC prevents DNS spoofing attacks. Most registrars offer one-click activation. This is a quick win that boosts your DNS score. See our DNSSEC guide for how to enable it.
5. Clean up redirect chains
If your domain has multiple redirects (e.g., http:// to http://www. to https://www.), consolidate them into a single redirect. Each unnecessary hop reduces your uptime score and adds latency.
Why Your Grade Changes Over Time
A website security grade is not static. Your grade can drop without anyone making intentional changes:
- SSL certificates expire. Every 90 days for Let's Encrypt, annually for paid certificates. One missed renewal and your grade drops to D or F.
- Deployments overwrite headers. A routine server update can silently remove security headers from your configuration.
- DNS records drift. Team members add, modify, or delete records. A removed MX record breaks email. A new CNAME without a backing service creates a subdomain takeover risk.
- Email provider changes. If your email provider changes their sending infrastructure, your SPF record may become invalid.
This is why one-time scans are not enough. Continuous monitoring catches grade drops the moment they happen, not weeks later when a customer or attacker notices.
Continuous Monitoring for Consistent Grades
Scanward monitors your website security grade automatically. The free tier scans one domain every 24 hours. If your grade drops, you get an email alert immediately -- whether it is an expiring certificate, a missing header, or a broken DNS record.
For teams managing multiple domains, the Pro plan ($29/mo) covers 10 domains with 12-hour scans, and the Agency plan ($79/mo) covers 50 domains with 6-hour scans. Both include branded PDF reports you can share with clients, management, or auditors as proof of your security posture.
Your website security grade is a living metric. The organizations that maintain an A are not the ones with the best initial setup -- they are the ones that watch their grade continuously and fix issues before they become problems.
Start monitoring your website security grade
Get continuous A-F security grading with automatic alerts when your grade drops. Free for your first domain.
Start Monitoring Free →