methodology / Security / #96
OCSP Must-Staple
#96 · Variable · Web Quality · weighted · Security · impl todo · source Leaf certificate extension scan for OID 1.3.6.1.5.5.7.1.24, plus cross-check against the actual OCSP stapling status from the TLS handshake.
Web Quality factor
This factor is part of Web Quality — the weighted 0..100 score that sits above Web Standards. Its weight depends on what kind of site is being measured. Web Standards items take priority; this factor only enters the score once Web Standards passes.
No matrix row defined yet — this factor falls back to a neutral weight of 1.0 across every site type until the methodology is tuned.
What this means for your business
An advanced setting that tells browsers to refuse the connection if the freshness check on your certificate goes missing, instead of quietly accepting it. Rarely turned on — when it is, it's a clear sign someone competent runs the server.
Plain title: Strict mode for your padlock check
Want the long version? Read the full explainer with examples →
What we measure
The TLS Feature extension (RFC 7633, OID 1.3.6.1.5.5.7.1.24) lets a certificate explicitly assert "clients MUST refuse to connect if I'm not stapled." It closes a long-standing OCSP weakness: without Must-Staple, a network attacker can suppress OCSP responses and the browser silently accepts the connection ("soft-fail"). Adoption is low — most CAs don't issue with it by default — but presence is a strong "operator knows what they're doing" signal.
How to improve your score
Request Must-Staple from your CA at issuance time. Let's Encrypt: `certbot --must-staple ...` flag (deprecation pending, check current docs). DigiCert and Sectigo: support via API request flag or order form. After issuance, you MUST also have OCSP stapling working end-to-end (see WEBQ-91), or your site goes down. Test thoroughly in staging before rolling to production. Most operators choose to NOT enable Must-Staple for this reason — it's a strict ratchet.
Facts
Implementation notes
pass=100: Must-Staple extension present AND server actually staples. warn=60: Must-Staple present but server isn't stapling — your cert is asserting a constraint your server doesn't meet (broken). warn=30: Server staples without Must-Staple assertion (good but optional). fail=0: no Must-Staple AND no stapling (the soft-fail vulnerability is open).
Scoring
Scoring formulas are versioned with the methodology. The current method maps raw measurements to pass, warn, fail. Factor weights determine how much each contributes to the composite — see the methodology index for the full table.
Version history
| Version | Change | Date |
|---|---|---|
| v0.1 | Factor introduced. Status: proposed. Scoring impl: todo. | 2026-04-25 |