methodology / Security / #88
Forward secrecy
#88 · Recommended · Web Quality · weighted · Security · impl todo · source Negotiated key exchange algorithm from the TLS handshake. TLS 1.3 detection auto-passes (FS guaranteed by protocol). For 1.2, the keyExchange string from URL Scanner's Chrome DevTools securityDetails or our Container probe.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 0.8 applied to every site type unless overridden below
- Why this weight
- Forward secrecy protects past traffic from future key compromise.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| E-commerce | 1.0 | +0.2 |
| Personal site | 0.3 | -0.5 |
| Government | 1.1 | +0.3 |
Site types not listed inherit the base weight.
What this means for your business
If someone ever steals your server's master key, well-built encryption still protects every conversation that happened before the theft. Without it, an attacker who quietly recorded traffic for years can suddenly read all of it.
Plain title: Old recordings stay locked even if a key leaks
Want the long version? Read the full explainer with examples →
What we measure
Forward secrecy means that if your server's private key is ever compromised, past recorded TLS sessions can't be decrypted retroactively. It's mandatory in TLS 1.3 by protocol design. In TLS 1.2 it requires ECDHE or DHE key exchange — static-RSA key exchange does NOT provide forward secrecy and should be disabled. Cyber-liability underwriters increasingly flag servers without forward secrecy as elevated risk.
How to improve your score
If you're already on TLS 1.3 only, you're done — FS is mandatory. On TLS 1.2: disable static RSA cipher suites. Nginx: `ssl_ciphers EECDH+AESGCM:EDH+AESGCM:!aNULL:!eNULL:!RSA;` (the `!RSA` disables static RSA). Apache: `SSLCipherSuite HIGH:!aNULL:!RC4:!MD5:!RSA`. Verify with `nmap --script ssl-enum-ciphers -p 443 yourdomain.com` — every listed suite should start with ECDHE or DHE.
Facts
Implementation notes
pass=100: TLS 1.3 negotiated (FS mandatory) OR ECDHE/DHE/X25519 keyExchange observed in TLS 1.2. warn=60: keyExchange unclassifiable. fail=0: static RSA keyExchange observed.
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |