MDN HTTP Observatory
Our 130/100 A+ Rating – What does it mean and how did we get it?
Table of Contents
- 1. The MDN HTTP Observatory – what is it and why does it matter?
- 2. What does the Observatory test?
- 3. The scoring system – how does it work?
- 4. How do websites generally perform?
- 5. What does our 130/100 A+ rating mean?
- 6. The limitations of the Observatory – what the test does not measure
- 7. Summary
1. The MDN HTTP Observatory – what is it and why does it matter?
The Mozilla HTTP Observatory – now available as part of MDN Web Docs (developer.mozilla.org) – is one of the most recognized open-source web security analyzers in the industry. Launched by Mozilla in 2016, it has since performed nearly 47 million scans on over 6.9 million unique websites. After a complete rewrite and revamp in July 2024, the tool was relaunched as an integral part of the MDN platform.
The primary goal of the Observatory is to provide developers, system administrators, and security professionals with objective, quantified feedback on how well a website is prepared to utilize modern browser security mechanisms. The focus is not on finding software vulnerabilities (SQL injection, XSS exploits), but on the correct and comprehensive configuration of the HTTP-level defense layer – the security headers.
2. What does the Observatory test?
The tool evaluates the website across ten well-defined test categories. Every test is performed by analyzing the server's HTTP response headers, cookie handling, and redirection behavior – it requires no login or code access, and does not attempt any active penetration testing. Below are the ten test categories and the security risks they address:
Content Security Policy (CSP)
CSP is one of the most important – and most complex to configure correctly – defense mechanisms. It dictates where the browser is allowed to load resources from (scripts, stylesheets, images, fonts, etc.). A properly configured, strict CSP effectively mitigates the majority of cross-site scripting (XSS) attacks, prevents data theft, and blocks unauthorized code execution. The Observatory analyzes CSP directives in detail: it penalizes for 'unsafe-inline' and 'unsafe-eval' instructions, and rewards a 'default-src: none' based configuration grounded in the principle of least privilege.
HTTP Strict Transport Security (HSTS)
The HSTS header instructs the browser to communicate with the given domain exclusively over HTTPS in the future – for a specified period starting from the first visit. This prevents protocol downgrade and man-in-the-middle attacks. The Observatory checks the max-age value (a minimum of 6 months is expected), the presence of the includeSubDomains directive, and whether the domain is included in the browsers' built-in HSTS preload list.
HTTP→HTTPS Redirection
The Observatory checks if the website properly redirects incoming HTTP requests to HTTPS – on the same host, before any other redirection occurs. This is critical because the browser can only apply the HSTS header from the moment of the first connection if this is done correctly.
Referrer-Policy
This header controls what information the browser sends in the Referer header when a user navigates to another site or loads a resource. With the correct setting, you can prevent sensitive URL parameters, session identifiers, or internal paths from leaking to third parties.
Subresource Integrity (SRI)
SRI allows the browser to verify via a cryptographic hash whether the content of files loaded from external sources (e.g., CDNs) exactly matches the expected content. If the file is modified by someone (either by compromising the CDN or via a man-in-the-middle attack), the browser refuses to load it. The Observatory checks if external scripts have a valid integrity attribute.
X-Frame-Options / CSP frame-ancestors
This mechanism prevents clickjacking attacks by specifying whether the page can be loaded inside an iframe on other sites. The Observatory accepts both the older X-Frame-Options header and the modern CSP frame-ancestors directive – scoring the latter higher.
Cookies
The Observatory examines the security attributes of cookies sent by the server. The Secure flag ensures the cookie is only transmitted over an HTTPS connection. The HttpOnly flag prevents JavaScript from accessing the cookie (protecting against XSS-based session hijacking). The SameSite flag provides protection against cross-site request forgery (CSRF).
Cross-Origin Resource Sharing (CORS)
CORS headers control whether other origins (domains) can access the site's resources via JavaScript. A wildcard (*) Access-Control-Allow-Origin setting incurs a severe point deduction, as it essentially allows any site to read the data.
X-Content-Type-Options
This header, when set to the 'nosniff' value, prevents the browser from attempting MIME-type sniffing: it processes the resource exactly as the type declared by the server. This prevents MIME-sniffing-based XSS attacks.
X-XSS-Protection (legacy)
This header controls the built-in XSS filter of older browsers. In modern browsers, it is no longer relevant (OWASP specifically recommends disabling it), so the Observatory currently does not award points for this test – but neither does it deduct points if set to the correct value.
3. The scoring system – how does it work?
The Observatory's scoring methodology is a two-step process and is quite strict. Every site starts with a baseline of 100 points, and then deductions and bonus points are applied based on the test results.
In the first round, penalty points are deducted from the base score. In the second round – and this is a crucial condition – bonus points are only added if the site achieved at least 90 points after the first round. This means that bonuses are exclusively attainable by those who have already implemented all mandatory elements at a high level.
According to the currently valid, official MDN documentation, the maximum achievable score is 145. For an A+ grade, a score of 100 or above must be achieved. The minimum score is 0, but there is no upper limit.
| Score | Grade | Rating |
|---|---|---|
| 100+ | A+ | Excellent – passed all tests, with bonus points |
| 90–99 | A | Excellent – passed all mandatory tests |
| 85–89 | A− | Very good |
| 80–84 | B+ | Good |
| 70–79 | B | Adequate |
| 65–69 | B− | Acceptable |
| 60–64 | C+ | Poor |
| 50–59 | C | Poor |
| 45–49 | C− | Very poor |
| 40–44 | D+ | Critical vulnerabilities |
| 30–39 | D | Critical vulnerabilities |
| 25–29 | D− | Critical vulnerabilities |
| 0–24 | F | Failed – basic security elements missing |
The following table summarizes the most important modifiers available in each test category:
| Test category | Best case / Modifier | Worst case / Modifier |
|---|---|---|
| Content Security Policy (CSP) | default-src 'none', strict config: +10 | Not implemented: −25 |
| HTTP Strict Transport Security (HSTS) | On HSTS preload list: +5 | Not implemented: −20 |
| HTTP→HTTPS Redirection | Correct redirection: 0 (expected) | Fails to redirect to HTTPS: −20 |
| Referrer-Policy | no-referrer / strict-origin: +5 | Unsafe values: −5 |
| Subresource Integrity (SRI) | All scripts with SRI: +5 | External script without HTTPS: −50 |
| X-Frame-Options / frame-ancestors | CSP frame-ancestors directive: +5 | Not implemented: −20 |
| Cookies | Secure + HttpOnly + SameSite: +5 | Session cookie without Secure flag: −40 |
| Cross-Origin Resource Sharing (CORS) | Restricted or not implemented: 0 | Public access (wildcard): −50 |
| X-Content-Type-Options | nosniff set: 0 (expected) | Not implemented: −5 |
4. How do websites generally perform?
Data from the Mozilla Observatory – and closely related research – clearly show that the vast majority of websites perform extremely poorly on this test.
The most comprehensive, recent research data is available from the AppSec Santa study published in February 2026, analyzing 10,000 websites, and the Kishnani & Das study published in 2024 (3,195 websites, based on 2023 measurements). The most important findings:
- The average Observatory score was 26.21 among the tested sites – which corresponds to a D grade.
- Nearly one-third (32.71%) of the tested sites scored zero points, meaning not a single security header was set.
- The proportion of sites achieving an A or A+ grade is exceptionally low: according to various scans, only a few percent of popular websites reach this level.
- Content Security Policy (CSP) – the most important header, whose absence alone means a −25 point deduction – is by far the least implemented security mechanism.
- According to an earlier Mozilla analysis examining the top one million most popular websites globally, 97.6% of the sites failed the Observatory test upon first measurement.
Important context: the Observatory does not perform penetration testing, but measures configuration quality. Because of this, it forms a very clear hierarchy among sites in the areas it examines – the A+ category reflects genuine professional achievement, not merely the avoidance of shortcomings.
5. What does our 130/100 A+ rating mean?
Our site has a score of 130/100, which falls into the highest range of the A+ grade. This result is made possible by the following combination:
- We passed all mandatory tests flawlessly, receiving zero penalty points in any category.
- By reaching the 90-point threshold, we became eligible for bonus points, and successfully obtained the majority of them.
- A score of 130 means that we earned 30 extra points in the bonus category – meaning we utilized the vast majority of all bonus opportunities.
Specifically, this assumes the following implementation levels:
- Content Security Policy – Strict CSP configuration: a 'default-src: none' based policy, the complete exclusion of 'unsafe-inline' and 'unsafe-eval', and the application of the CSP frame-ancestors directive instead of X-Frame-Options.
- HTTP Strict Transport Security – HSTS preload: a max-age value of at least six months, the includeSubDomains setting, and the domain being listed in the browsers' HSTS preload list.
- Referrer-Policy – set to a no-referrer, same-origin, or strict-origin value, in accordance with user privacy.
- Subresource Integrity – every external resource is verified with an SRI hash, or every resource is loaded from the same origin.
- Cookie Security – every cookie has the Secure and HttpOnly flags, and session cookies are also protected with the SameSite attribute.
A score of 130 – placed in context – means that our site belongs to the top few percent of websites ever tested, far exceeding the average of even the most well-known, best-maintained sites. Based on past Observatory leaderboard data, the proportion of sites achieving an A+ grade was merely a fraction among the tested sites; a score of 130+ represents the most outstanding category even within this narrow circle.
6. The limitations of the Observatory – what the test does not measure
For the sake of objectivity, it is important to emphasize that the Observatory exclusively evaluates HTTP header-level configuration. The following security aspects are not included in the test, and every website operator bears independent responsibility for them:
- Vulnerabilities in outdated software, frameworks, or dependencies
- SQL injection and other application-level vulnerabilities
- Quality of password and authentication policies
- The security level of the server's operating system and infrastructure
- Detailed evaluation of TLS configuration (the Qualys SSL Labs test is relevant for this, where we also achieved a double A+ result)
The Observatory result is therefore an important, but not exclusive, pillar of comprehensive web security. In our case, the combined excellent results of SSL Labs, Internet.nl, and the Mozilla Observatory provide a complete picture of the hosting infrastructure and the website's technical security quality.
7. Summary
The Mozilla / MDN HTTP Observatory is one of the industry's most reliable, comprehensive, and recognized HTTP security measurement tools. It is not driven by promotional, paid, or commercial interests – Mozilla and MDN maintain it with an open-source, transparent methodology.
Our 130/100 A+ result certifies that our website's HTTP-level security configuration:
- is flawless in implementing mandatory security mechanisms,
- acquires all available bonus points through the correct application of advanced defense solutions,
- far exceeds the average of tested websites in all evaluated categories,
- and protects our users at the highest achievable level in the areas measurable by the tool.
This result does not come about automatically: it is the result of conscious, detailed design decisions, careful implementation, and regular auditing. Security headers form a complex, interconnected system – particularly the correct configuration of Content Security Policy requires serious professional investment, and the final score of 130 accurately reflects exactly this investment.
Source: MDN HTTP Observatory – developer.mozilla.org/en-US/observatory
Scoring methodology: github.com/mozilla/http-observatory · Updated: 2024-02-27