Security Score: a beginner's guide
Composite security score from 8 weighted factors
The single website security grade (and what goes into it)
A website security grade is a single composite number (or A-to-F letter) that summarizes everything an automated audit found about a website's security posture. The point is to give non-technical stakeholders something they can read in two seconds. "Our security grade is a B+, up from a C- last quarter" is a sentence that lands in a board meeting in a way that "our HSTS max-age is 63072000 seconds with `includeSubDomains` enabled" never will.
You should care because website security is a uniquely jargon-heavy area of IT, and that jargon is the main reason it gets neglected. A founder, a CMO, or a board member doesn't need to know the difference between TLS 1.2 and TLS 1.3 — they need to know whether website security is a problem worth investing in this quarter. A single letter grade, computed transparently from a defined methodology, is the bridge between the technical detail and the strategic decision.
The seven categories every website security grade rolls up:
TLS configuration — protocol versions supported, cipher suites, certificate strength, OCSP stapling, CT log presence.
Certificate hygiene — is the cert valid, is the chain complete, is it from a trusted CA, when does it expire?
HTTP security headers — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
HSTS preload — is the domain on the HSTS preload list, which provides the strongest possible HTTPS enforcement?
DNSSEC — is the underlying DNS protected against forgery?
CAA records — has the domain restricted which CAs can issue certificates for it?
Known issues — is the site running any software with publicly known vulnerabilities?
Each category is weighted (TLS and certificate hygiene carry the most weight; CAA and HSTS preload are bonuses) and the weighted average becomes the overall grade.
Three questions a single security grade answers:
At a glance, is our website security health getting better or worse over time?
Which of the categories is dragging us down the most?
Is the work the security team has been doing actually moving the needle?
The cost of not having a single grade is the slow accumulation of detailed reports that nobody on the leadership team actually reads. The fix is to roll up the existing detail into one number and one letter, computed the same way every time, and tracked on a recurring schedule. This is the difference between security being a black box and security being a measurable, accountable line item in the IT budget.
The Security Score endpoint, in plain language
In one sentence: Composite security score from 8 weighted factors
Calculates a composite website security score (0-100) from 8 weighted components: TLS (Transport Layer Security) configuration (25%), security headers (20%), DNSSEC (Domain Name System Security Extensions) validation (10%), HTTPS (secure HyperText Transfer Protocol) enforcement (10%), cookie security (10%), Content Security Policy (10%), certificate chain validity (10%), and WAF detection (5%). Returns a letter grade (A+ to F), detailed component breakdown with individual scores, critical issues list, and prioritized remediation recommendations. Methodology inspired by Mozilla Observatory and the OWASP Secure Headers Project scoring approaches.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Performs parallel analysis of 8 security dimensions against the target domain over HTTPS (secure HyperText Transfer Protocol). TLS (Transport Layer Security) scoring (max 25 pts) evaluates protocol version — TLS 1.3 earns 15 pts, TLS 1.2 earns 10 pts — plus cipher strength grade (max 10 pts). Security headers scoring (max 20 pts) checks for HSTS (HTTP Strict Transport Security), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, Cross-Origin-Opener-Policy (COOP), and Cross-Origin-Resource-Policy (CORP) per the OWASP Secure Headers Project checklist. DNSSEC (Domain Name System Security Extensions) scoring (10 pts) checks DNSSEC key presence via DoH (DNS over HTTPS). HTTPS enforcement (max 10 pts) awards 7 pts for HTTP-to-HTTPS redirect plus 3 pts for HSTS preload eligibility (max-age ≥ 1 year + includeSubDomains + preload directive). Cookie security (max 10 pts) checks Secure flag (4 pts), HttpOnly (3 pts), and SameSite attribute (3 pts). CSP (Content Security Policy) scoring (max 10 pts) awards 5 pts for CSP presence, 3 pts for no unsafe-inline, and 2 pts for no unsafe-eval. Certificate chain scoring (max 10 pts) validates chain integrity (5 pts) and expiry buffer — full 5 pts for 60+ days remaining, scaled down for shorter windows. WAF detection (5 pts) identifies web application firewall signatures.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Security Score tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
A single composite security score simplifies posture communication across technical and non-technical stakeholders. SecurityScorecard research shows F-rated organizations are 13.8x more likely to experience breaches than A-rated ones. The weighted component breakdown pinpoints exactly which areas drag down the overall score, enabling targeted remediation prioritized by impact. Essential for vendor risk evaluation, compliance reporting (NIST CSF 2.0, CIS Benchmarks, PCI DSS v4.0), M&A technical due diligence, and continuous security monitoring with regression detection.
Picture this in real life. Imagine a CISO / security manager. Here's the situation they're walking into: Generate security scores for all public-facing domains for board-level reporting. Track score trends across quarters to demonstrate security investment ROI. Mozilla Observatory reports fewer than 10% of websites score above a B — use this as an industry benchmark. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Security Score tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Security Score tool is built for you:
Is my website encrypted properly, or are visitors going to see a scary browser warning?
Am I missing any of the security headers that modern browsers expect?
Could a known weakness on my site quietly be costing me trust, traffic, or compliance?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Founders and freelancers running their own sites, agencies handing off projects to clients, security and compliance teams chasing audit findings, and developers hardening login pages. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and visitors get browser warnings, search engines lose trust in your site, and a single missed setting can become a public security incident. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/score/security`.
When would I actually use this?
If you're still on the fence about whether the Security Score tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a CISO / security manager, a third-party risk analyst, a security operations / SRE, and a GRC analyst — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Security Posture Reporting
Imagine you're a CISO / security manager. Generate security scores for all public-facing domains for board-level reporting. Track score trends across quarters to demonstrate security investment ROI. Mozilla Observatory reports fewer than 10% of websites score above a B — use this as an industry benchmark.
Why it matters: Communicate security posture to non-technical stakeholders with a single auditable metric backed by 8 components.
Story 2: Vendor & Supply Chain Risk Assessment
Imagine you're a third-party risk analyst. Score vendor domains against minimum security thresholds (e.g., require grade B or above) before contract signing. Flag vendors missing critical headers like CSP (Content Security Policy) and HSTS (HTTP Strict Transport Security) that indicate weak security hygiene.
Why it matters: Data-driven vendor risk decisions — identify vendors with weak external security that could impact your supply chain.
Story 3: Continuous Security Monitoring
Imagine you're a security operations / SRE. Integrate security score checks into automated deployment workflows and monitoring dashboards. Set alerts for score drops that indicate configuration drift, expired certificates, or security headers removed after deployments.
Why it matters: Catch security regressions within hours of deployment instead of waiting for the next quarterly audit cycle.
Story 4: Compliance Evidence Collection
Imagine you're a GRC analyst. Map security score component breakdowns to specific compliance control requirements — TLS (Transport Layer Security) and certificate chain scores map to encryption controls, CSP (Content Security Policy) and header scores map to application security controls. Use as automated evidence for NIST CSF, CIS Benchmark, PCI DSS, and SOC 2 (Service Organization Control 2) audits.
Why it matters: Automated, repeatable compliance evidence that reduces audit preparation time and demonstrates continuous monitoring.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Security Score tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
After every site redesign or platform migration.
Before a penetration test, security review, or vendor questionnaire.
When your SSL certificate is about to expire and you want to confirm the renewal worked.
On a recurring monthly schedule, so you catch new issues before attackers do.
If you can see yourself in even one of those bullets, the Security Score tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Security Score tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Security Score tool to check cloudflare.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/score/security?domain=cloudflare.com"What you need to provide
There's just one piece of information you need to provide. The table below explains exactly what it is and what a real value looks like.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to calculate security score for. Analysis is performed over HTTPS (secure HyperText Transfer Protocol). | cloudflare.com |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The scored domain |
score | number | Composite security score 0-100 (weighted sum of 8 components) |
grade | string | Letter grade: A+ (95-100), A (85-94), B (70-84), C (50-69), D (30-49), F (0-29) |
breakdown | object | Component scores with score, max, and details fields for each of the 8 factors |
breakdown.tls | object | TLS (Transport Layer Security) version and cipher strength (max 25 pts) |
breakdown.headers | object | OWASP security headers presence (max 20 pts) |
breakdown.dnssec | object | DNSSEC (Domain Name System Security Extensions) presence check via DNSKEY (DNS public key record) (max 10 pts) |
breakdown.https | object | HTTPS (secure HyperText Transfer Protocol) redirect and HSTS (HTTP Strict Transport Security) preload (max 10 pts) |
breakdown.cookies | object | Secure, HttpOnly, SameSite flags (max 10 pts) |
breakdown.csp | object | Content Security Policy quality (max 10 pts) |
breakdown.certChain | object | Certificate validity and expiry buffer (max 10 pts) |
breakdown.waf | object | Web Application Firewall detection (max 5 pts) |
gradeDescription | string | Human-readable description of the letter grade |
componentCount | number | Number of security components evaluated |
recommendations | array | Prioritized improvement actions ranked by score impact |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
HTTP (HyperText Transfer Protocol) — The language web browsers and websites use to talk to each other.
HTTPS (secure HyperText Transfer Protocol) — HTTP with encryption — the little padlock in your browser. It means nobody between you and the website can read what you're sending.
TLS (Transport Layer Security) — The encryption that puts the 'S' in HTTPS. It scrambles data so nobody between you and a website can read it.
DNSSEC (Domain Name System Security Extensions) — A way to digitally sign DNS records so attackers can't trick your computer into looking up the wrong server.
DoH (DNS over HTTPS) — A modern way of sending DNS queries that hides them inside encrypted HTTPS traffic, so people on the same network can't see which websites you're looking up.
CSP (Content Security Policy) — A list, sent in a page header, of where the page is allowed to load images, scripts, and other resources from. Stops a lot of common attacks.
HSTS (HTTP Strict Transport Security) — A header that tells browsers "always use HTTPS for this site, never plain HTTP, even if the user types it." Prevents downgrade attacks.
SOC 2 (Service Organization Control 2) — A widely used security audit. Proves to customers that you handle their data responsibly.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.