Header & TLS Security

Header & TLS Security is a composite check rolling up 11 sub-weights covering HTTP security headers and TLS configuration on your primary web host (apex by default). Each sub-weight has its own dedicated fix page in the sidebar; this page explains what the rollup means, where to start, and how to read the evidence.

The check evaluates the apex (and any same-zone primary hosts), runs a verified TLS handshake on each HTTPS host, and produces a per-host score weighted by host importance. Total points possible: 100. Special states: if the apex redirects elsewhere, the check returns Not Applicable; if the web probe cannot reach the apex at all, the check returns Deferred (no score).

The 11 sub-weights

Sub-weights split into two rough categories. Each has its own fix page; weights are noted in parentheses.

HTTP security headers (56 pts)

• Strict-Transport-Security (HSTS, 15 pts). Tells browsers to only ever use HTTPS for your domain.
• Content-Security-Policy (CSP, 15 pts). Restricts which scripts and resources the page can load. The hardest header to get right and one of the highest-impact when done.
• X-Content-Type-Options (8 pts). Stops MIME-type sniffing.
• X-Frame-Options or CSP frame-ancestors (8 pts). Prevents clickjacking via iframe embedding.
• Referrer-Policy (6 pts). Controls how much of the URL leaks in Referer headers to other origins.
• Permissions-Policy (4 pts). Restricts use of browser features like camera, microphone, geolocation.

TLS configuration (45 pts)

• TLS Protocol Version (15 pts). TLS 1.2 minimum; TLS 1.3 preferred. Anything older fails.
• Certificate Validity (12 pts). Cert is currently valid (not expired, not yet started, not too close to expiry).
• SAN Hostname Match (8 pts). The cert's Subject Alternative Names include the hostname being served.
• Certificate Chain Completeness (5 pts). The full intermediate chain is served, not just the leaf.
• Cipher Strength (5 pts). Strong ciphers only; no RC4, no DES, no NULL.

Where to start

If your sub-scores are mixed, work in this order. Each step builds on the previous and gets the most score per unit of effort.

• Get TLS clean first. TLS Protocol Version, Certificate Validity, SAN Hostname Match, Chain Completeness, and Cipher Strength are usually one-time configuration items at your TLS-terminating layer (CDN, load balancer, web server). Most managed providers handle this automatically.
• Add Strict-Transport-Security. Once HTTPS works on every host, add HSTS so browsers refuse to use HTTP. Start with a short max-age, verify nothing breaks, then ramp.
• Add the cheap headers (X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy). These are one-line per-header additions in your web server config. You can typically add all of them in a single deploy.
• Tackle Content-Security-Policy last. CSP is the hardest header to implement well because it requires inventorying every script and asset source. Start in Report-Only mode, collect violation reports for two weeks, fix or unblock legitimate sources, then enforce. Rushing CSP breaks pages.

Special states

Not Applicable

If the apex redirects to a different domain (yourdomain.tld redirects to www.yourdomain.tld redirects to yourbrand.com), the check returns Not Applicable rather than scoring against the redirected host. This is the right behavior: the redirect target is the real primary, and it is scored on its own scan. If you see N/A here and you did not expect a redirect, audit your apex configuration.

Deferred

If the web probe cannot reach the apex (host down, firewall blocking, no DNS), the check defers with no score rather than penalizing you for an unreachable host. The fix is upstream: get the apex reachable (see Web Assessability), then re-scan. The header/TLS scoring picks up automatically once probes succeed.

How per-host weighting works

The check runs against every primary web host (apex and same-zone hosts that pass the meaningfulness test). Each host has its own per-host budget of 101 points; the apex is weighted highest, with non-apex hosts contributing less to the rollup. The total earned is divided by the total possible across all weighted hosts and scaled to the 100-point category weight. In practice this means: getting the apex right gives you most of the points, and additional hosts are bonus credit (or, if they are misconfigured, a small drag on the rollup).

Verify the fix

• After fixing each sub-weight, re-run the RedScore lookup. The rollup updates on the next scan.
• Per-header inspection: curl -sI https://yourdomain.tld | grep -iE 'strict-transport|content-security|x-frame|x-content-type|referrer|permissions'
• TLS inspection: openssl s_client -connect yourdomain.tld:443 -servername yourdomain.tld < /dev/null | openssl x509 -text
• Third-party scanners (securityheaders.com for headers, ssllabs.com/ssltest for TLS) cross-check what RedScore measures.

Common pitfalls

• Adding headers at one layer when another layer strips them. If your CDN, load balancer, and origin all touch headers, additions at the origin can be dropped or overridden upstream. Add headers at the layer closest to the client (usually the CDN or LB).
• Trying to fix all 11 sub-weights at once. Pick TLS first, then HSTS, then the cheap headers, then CSP. Working in order avoids breaking the dependencies (HSTS only makes sense once HTTPS is solid; CSP can take weeks).
• Rushing CSP into enforce mode. default-src 'self' breaks every third-party script you embed (analytics, ads, embeds). Always run Report-Only first.
• Relying on the apex score and ignoring other hosts. The composite weights apex highest but non-apex hosts still contribute. If api.yourdomain.tld serves user-facing pages, fix headers there too.
• Confusing N/A with pass. N/A means the check did not score because the apex redirected; the redirect target is scored separately. Track that target's scan results, not this one.