methodology / Security / #91
OCSP stapling
#91 · Recommended · Web Quality · weighted · Security · impl todo · source TLS handshake observation — server's CertificateStatus message (TLS 1.2) or CertificateEntry status_request extension (TLS 1.3). Bytes from Worker direct handshake or Container fallback.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
- Base weight
- 0.6 applied to every site type unless overridden below
- Why this weight
- OCSP stapling is a polish item — improves connection time + privacy.
Per-site-type overrides
| Site type | Weight | Δ vs base |
|---|---|---|
| E-commerce | 0.8 | +0.2 |
| Personal site | 0.2 | -0.4 |
| Government | 0.9 | +0.3 |
Site types not listed inherit the base weight.
What this means for your business
A small efficiency where your server checks once that the certificate is still valid and shares the answer with everyone, instead of every visitor's browser making its own trip across the internet to ask. Faster page loads, better privacy.
Plain title: Visitors connect faster on the first click
Want the long version? Read the full explainer with examples →
What we measure
OCSP stapling is when your server pre-fetches a fresh "is this cert revoked?" response from your CA and sends it inline with the TLS handshake, instead of forcing every visitor's browser to query the CA on its own. Without stapling, the CA sees a record of every site visit (privacy leak) and the visitor pays a network round-trip on first connection (perf hit). Mainstream CAs all support stapling; most modern web servers can do it with one-line config.
How to improve your score
Enable OCSP stapling. Nginx: `ssl_stapling on; ssl_stapling_verify on; resolver 1.1.1.1 8.8.8.8 valid=300s;` in the server block. Apache: `SSLUseStapling On` and `SSLStaplingCache shmcb:/var/run/ocsp(128000)`. Caddy: enabled by default, no config needed. On Cloudflare: enabled automatically for all proxied domains. After enabling, restart the server and verify with `openssl s_client -connect yourdomain.com:443 -status`.
Facts
Implementation notes
pass=100: server stapled an OCSP response. fail=0: server did not staple. (warn=60 for "stapled but expired" planned — needs OCSP body parsing for thisUpdate freshness.)
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Cited by these standards
Standards in the Standards Library whose satisfiedBy requirement tree references this factor. Each link goes to the standard's full entry — methodology, scope, and the other factors it relies on.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |