Website Security Scorecard

The scorecard checks six security categories: SSL/TLS certificate validity and configuration, security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Permissions-Policy), DNS email authentication (SPF, DKIM, DMARC), cookie security flags (HttpOnly, Secure, SameSite), HTTPS enforcement and redirect behavior. Each category is scored pass or fail and combined into an overall letter grade from A to F.

Yes. The scorecard performs only passive checks using publicly available information: HTTP response headers, DNS records and SSL certificate data. It does not attempt exploitation, send malicious payloads or modify any data on your server.

Each of the six check categories is weighted equally. An A grade means all checks passed. B means one failed. C means two failed. D means three or four failed. F means five or more categories failed.

We send your detailed scorecard report to your email so you have a permanent reference. We may also send a follow-up with remediation guidance for any failed checks. You can unsubscribe at any time. We do not sell or share your email address.

Each failed check includes specific remediation steps you can implement immediately. For a comprehensive assessment that goes beyond automated checks, Sherlock Forensics offers professional penetration tests starting at $1,500 CAD. Call 604.229.1994 for a free consultation.