Web Application Security

154 points total

Evaluates the security of your web-facing application — HTTP security headers, TLS configuration, HTTPS enforcement, web presence quality, and site assessability (using apex as the default primary host).

Checks

Check	Weight	What it measures
Header & TLS Security `web_header_security`	100 pts	Scores 11 security headers and TLS properties across all discovered hosts (see sub-weights below).
Web Presence Quality `web_presence_quality`	25 pts	Assesses whether the default primary host (apex) serves real application content versus placeholder/parked pages.
Web Assessability `web_assessability`	25 pts	Determines whether the default primary host (apex) is reachable and assessable for security evaluation.
HTTPS Primary Enforcement `web_probe_task`	4 pts	Checks whether the default primary host (apex) enforces HTTPS for all traffic.

Pass / Warn / Fail Logic

Header & TLS Security

Composite score from sub-weight checks across all hosts, normalized to 100 points.

Web Presence Quality

Pass if apex shows meaningful content; warn on thin content; fail on default/parked pages.

Web Assessability

Pass if apex loads and is assessable; fail if unreachable or blocked.

HTTPS Primary Enforcement

Full credit if apex redirects HTTP to HTTPS; proportional credit based on HTTPS ratio.

Header & TLS Sub-Weights

The Header & TLS Security check (100 pts) is broken into 11 sub-components, each scored per host and averaged.

Strict-Transport-Security (HSTS)15

Content-Security-Policy (CSP)15

TLS Protocol Version15

Certificate Validity12

X-Content-Type-Options8

X-Frame-Options / frame-ancestors8

SAN Hostname Match8

Referrer-Policy6

Certificate Chain Completeness5

Cipher Strength5

Permissions-Policy4

Findings & How to Fix Them

These are the specific findings RedScore may report for this category, along with remediation guidance.

highWeb Probe Missingweb_probe_missing

Ensure the primary host responds over HTTP/HTTPS so web presence can be evaluated.

highPrimary Host Unreachableweb_primary_probe_unreachable

Ensure the primary host is reachable and serves application content.

highDefault Server Pagedefault_server_page

Replace default web server pages with your real application or an intentional holding page that reflects a maintained service.

highParked or Placeholder Siteparked_or_placeholder_site

Replace parked/placeholder pages with an actively maintained site, or remove unused internet-facing hosts.

mediumRedirect-Only Primaryredirect_only_primary

Serve meaningful content on the canonical destination and avoid redirect loops/placeholder redirects.

mediumThin Web Presencethin_web_presence

Publish meaningful application content (not a bare template) on the primary host so web controls can be evaluated in context.

mediumWeb Presence Quality Reducedweb_presence_quality_reduced

Improve primary-site content quality and replace placeholder/default hosting pages.

Infrastructure Hygiene Cookie & Privacy Hygiene