methodology / Security & Infrastructure / #4

Security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, X-Content-Type-Options)

#4 · Recommended · Web Quality · weighted · Security & Infrastructure · weight 5.3% · impl implemented · method v1.2.0

Web Quality factor

This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.

Base weight: 1.0 applied to every site type unless overridden below
Why this weight: Security headers (HSTS, CSP, XFO) are how a site protects its own users from clickjacking, MITM downgrade, and XSS. Lower for personal/blog because most managed platforms can't set them.

Per-site-type overrides

Site type	Weight	Δ vs base
Blog	0.5	-0.5
Personal site	0.4	-0.6

Site types not listed inherit the base weight.

Same factor, two depths.

What we measure

Modern browsers honor a small set of HTTP headers that protect your visitors from clickjacking, script injection, and content-sniffing attacks. Most modern sites set them. If you don't, browsers fall back to weaker defaults.

How to improve your score

Set the headers via your web server config or CDN. Goal headers: - `Strict-Transport-Security: max-age=31536000; includeSubDomains; preload` - `Content-Security-Policy: default-src 'self'` (tighten as needed) - `X-Frame-Options: SAMEORIGIN` - `Referrer-Policy: strict-origin-when-cross-origin` - `Permissions-Policy: ...` - `X-Content-Type-Options: nosniff`

Facts

Ticket

WEBQ-4

When this applies

This platform doesn't allow site owners to set custom HTTP response headers, so security-headers grading isn't fair.

Marked n/a when the detected platform doesn't support canSetCustomHeaders (e.g., Squarespace and Wix can't set custom HTTP headers, so factor #4 becomes n/a there).

Scoring

Scoring formulas are versioned with the methodology. The current method (v1.2.0) maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.

Cited by these standards

Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.

Content Security Policy Level 3 Security global The deployable CSP today. script-src, object-src, and base-uri are the three controls that actually stop XSS — the rest is optional.
Cross-Origin isolation (COOP / COEP / CORP) Security global Three response headers that together unlock SharedArrayBuffer and high-resolution timers — and incidentally close a class of cross-origin side-channel leaks.
HTTP Strict Transport Security Security global One header tells every future visitor 'always HTTPS, never HTTP, no exceptions'. Should ship everywhere; preload only after you're sure.
ISO/IEC 27001:2022 Security global International gold standard for an Information Security Management System. The 2022 revision restructures the Annex A controls to align with ISO 27002:2022.
Modern HTTP security headers Security global HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. The six headers every modern site should ship.
NIST Cybersecurity Framework 2.0 Security US Voluntary, US-government-blessed taxonomy for cybersecurity programs. The 2.0 revision (Feb 2024) added a 'Govern' function alongside the original Identify / Protect / Detect / Respond / Recover.
OWASP Top 10 (2025) Security global Industry consensus on the ten most critical web application security risks. The 2025 edition is current; 2021 is superseded but still widely referenced.
PCI DSS v4.0 Security global If you store, process, or transmit card data — directly or through an iframe — PCI DSS applies. v4.0 is mandatory; v3.2.1 retired in March 2024.
Permissions-Policy Security global Locks down browser features — camera, mic, geolocation, payment, FLoC — so a compromised script can't quietly turn them on. Replaces the older Feature-Policy header.
Referrer-Policy Security global Controls what URL data leaks to other sites in the Referer header. Modern browsers default to strict-origin-when-cross-origin — match that as a baseline.
security.txt Security global A plain-text file at /.well-known/security.txt that tells researchers where to send vulnerability reports. Costs nothing; saves an inbound bug from getting routed to /dev/null.
SOC 2 (Type I & Type II) Security global An auditor's report — not a checklist — covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. Type II is the one enterprise buyers actually care about.
Subresource Integrity Security global Cryptographic hash on every CDN-loaded <script> and <link>. If the file changes, the browser refuses to load it. Cheap defence against supply-chain compromise.
X-Content-Type-Options: nosniff Security global Tells the browser to trust your declared Content-Type instead of guessing. Stops 'I uploaded a JPG that was actually JavaScript' attacks dead.
X-Frame-Options + frame-ancestors Security global Stops other sites from embedding yours in an iframe — the prerequisite for clickjacking. CSP frame-ancestors is the modern equivalent; ship both for safety.

Version history

Version	Change	Date
v1.2.0	Factor introduced. Status: live. Scoring impl: implemented.	2026-04-25

← back to methodology