Back to Home

MDN HTTP Observatory

Our 130/100 A+ Rating – What does it mean and how did we get it?

MDN HTTP Observatory 130/100 A+

1. The MDN HTTP Observatory – what is it and why does it matter?

The Mozilla HTTP Observatory – now available as part of MDN Web Docs (developer.mozilla.org) – is one of the most recognized open-source web security analyzers in the industry. Launched by Mozilla in 2016, it has since performed nearly 47 million scans on over 6.9 million unique websites. After a complete rewrite and revamp in July 2024, the tool was relaunched as an integral part of the MDN platform.

The primary goal of the Observatory is to provide developers, system administrators, and security professionals with objective, quantified feedback on how well a website is prepared to utilize modern browser security mechanisms. The focus is not on finding software vulnerabilities (SQL injection, XSS exploits), but on the correct and comprehensive configuration of the HTTP-level defense layer – the security headers.

2. What does the Observatory test?

The tool evaluates the website across ten well-defined test categories. Every test is performed by analyzing the server's HTTP response headers, cookie handling, and redirection behavior – it requires no login or code access, and does not attempt any active penetration testing. Below are the ten test categories and the security risks they address:

Content Security Policy (CSP)
CSP is one of the most important – and most complex to configure correctly – defense mechanisms. It dictates where the browser is allowed to load resources from (scripts, stylesheets, images, fonts, etc.). A properly configured, strict CSP effectively mitigates the majority of cross-site scripting (XSS) attacks, prevents data theft, and blocks unauthorized code execution. The Observatory analyzes CSP directives in detail: it penalizes for 'unsafe-inline' and 'unsafe-eval' instructions, and rewards a 'default-src: none' based configuration grounded in the principle of least privilege.

HTTP Strict Transport Security (HSTS)
The HSTS header instructs the browser to communicate with the given domain exclusively over HTTPS in the future – for a specified period starting from the first visit. This prevents protocol downgrade and man-in-the-middle attacks. The Observatory checks the max-age value (a minimum of 6 months is expected), the presence of the includeSubDomains directive, and whether the domain is included in the browsers' built-in HSTS preload list.

HTTP→HTTPS Redirection
The Observatory checks if the website properly redirects incoming HTTP requests to HTTPS – on the same host, before any other redirection occurs. This is critical because the browser can only apply the HSTS header from the moment of the first connection if this is done correctly.

Referrer-Policy
This header controls what information the browser sends in the Referer header when a user navigates to another site or loads a resource. With the correct setting, you can prevent sensitive URL parameters, session identifiers, or internal paths from leaking to third parties.

Subresource Integrity (SRI)
SRI allows the browser to verify via a cryptographic hash whether the content of files loaded from external sources (e.g., CDNs) exactly matches the expected content. If the file is modified by someone (either by compromising the CDN or via a man-in-the-middle attack), the browser refuses to load it. The Observatory checks if external scripts have a valid integrity attribute.

X-Frame-Options / CSP frame-ancestors
This mechanism prevents clickjacking attacks by specifying whether the page can be loaded inside an iframe on other sites. The Observatory accepts both the older X-Frame-Options header and the modern CSP frame-ancestors directive – scoring the latter higher.

Cookies
The Observatory examines the security attributes of cookies sent by the server. The Secure flag ensures the cookie is only transmitted over an HTTPS connection. The HttpOnly flag prevents JavaScript from accessing the cookie (protecting against XSS-based session hijacking). The SameSite flag provides protection against cross-site request forgery (CSRF).

Cross-Origin Resource Sharing (CORS)
CORS headers control whether other origins (domains) can access the site's resources via JavaScript. A wildcard (*) Access-Control-Allow-Origin setting incurs a severe point deduction, as it essentially allows any site to read the data.

X-Content-Type-Options
This header, when set to the 'nosniff' value, prevents the browser from attempting MIME-type sniffing: it processes the resource exactly as the type declared by the server. This prevents MIME-sniffing-based XSS attacks.

X-XSS-Protection (legacy)
This header controls the built-in XSS filter of older browsers. In modern browsers, it is no longer relevant (OWASP specifically recommends disabling it), so the Observatory currently does not award points for this test – but neither does it deduct points if set to the correct value.

3. The scoring system – how does it work?

The Observatory's scoring methodology is a two-step process and is quite strict. Every site starts with a baseline of 100 points, and then deductions and bonus points are applied based on the test results.

In the first round, penalty points are deducted from the base score. In the second round – and this is a crucial condition – bonus points are only added if the site achieved at least 90 points after the first round. This means that bonuses are exclusively attainable by those who have already implemented all mandatory elements at a high level.

According to the currently valid, official MDN documentation, the maximum achievable score is 145. For an A+ grade, a score of 100 or above must be achieved. The minimum score is 0, but there is no upper limit.

Score Grade Rating
100+A+Excellent – passed all tests, with bonus points
90–99AExcellent – passed all mandatory tests
85–89A−Very good
80–84B+Good
70–79BAdequate
65–69B−Acceptable
60–64C+Poor
50–59CPoor
45–49C−Very poor
40–44D+Critical vulnerabilities
30–39DCritical vulnerabilities
25–29D−Critical vulnerabilities
0–24FFailed – basic security elements missing

The following table summarizes the most important modifiers available in each test category:

Test category Best case / Modifier Worst case / Modifier
Content Security Policy (CSP)default-src 'none', strict config: +10Not implemented: −25
HTTP Strict Transport Security (HSTS)On HSTS preload list: +5Not implemented: −20
HTTP→HTTPS RedirectionCorrect redirection: 0 (expected)Fails to redirect to HTTPS: −20
Referrer-Policyno-referrer / strict-origin: +5Unsafe values: −5
Subresource Integrity (SRI)All scripts with SRI: +5External script without HTTPS: −50
X-Frame-Options / frame-ancestorsCSP frame-ancestors directive: +5Not implemented: −20
CookiesSecure + HttpOnly + SameSite: +5Session cookie without Secure flag: −40
Cross-Origin Resource Sharing (CORS)Restricted or not implemented: 0Public access (wildcard): −50
X-Content-Type-Optionsnosniff set: 0 (expected)Not implemented: −5

4. How do websites generally perform?

Data from the Mozilla Observatory – and closely related research – clearly show that the vast majority of websites perform extremely poorly on this test.

The most comprehensive, recent research data is available from the AppSec Santa study published in February 2026, analyzing 10,000 websites, and the Kishnani & Das study published in 2024 (3,195 websites, based on 2023 measurements). The most important findings:

Important context: the Observatory does not perform penetration testing, but measures configuration quality. Because of this, it forms a very clear hierarchy among sites in the areas it examines – the A+ category reflects genuine professional achievement, not merely the avoidance of shortcomings.

5. What does our 130/100 A+ rating mean?

Our site has a score of 130/100, which falls into the highest range of the A+ grade. This result is made possible by the following combination:

Specifically, this assumes the following implementation levels:

A score of 130 – placed in context – means that our site belongs to the top few percent of websites ever tested, far exceeding the average of even the most well-known, best-maintained sites. Based on past Observatory leaderboard data, the proportion of sites achieving an A+ grade was merely a fraction among the tested sites; a score of 130+ represents the most outstanding category even within this narrow circle.

6. The limitations of the Observatory – what the test does not measure

For the sake of objectivity, it is important to emphasize that the Observatory exclusively evaluates HTTP header-level configuration. The following security aspects are not included in the test, and every website operator bears independent responsibility for them:

The Observatory result is therefore an important, but not exclusive, pillar of comprehensive web security. In our case, the combined excellent results of SSL Labs, Internet.nl, and the Mozilla Observatory provide a complete picture of the hosting infrastructure and the website's technical security quality.

7. Summary

The Mozilla / MDN HTTP Observatory is one of the industry's most reliable, comprehensive, and recognized HTTP security measurement tools. It is not driven by promotional, paid, or commercial interests – Mozilla and MDN maintain it with an open-source, transparent methodology.

Our 130/100 A+ result certifies that our website's HTTP-level security configuration:

This result does not come about automatically: it is the result of conscious, detailed design decisions, careful implementation, and regular auditing. Security headers form a complex, interconnected system – particularly the correct configuration of Content Security Policy requires serious professional investment, and the final score of 130 accurately reflects exactly this investment.

Source: MDN HTTP Observatory – developer.mozilla.org/en-US/observatory
Scoring methodology: github.com/mozilla/http-observatory · Updated: 2024-02-27