Grading Methodology

Verifies that your site uses a valid SSL/TLS certificate and properly enforces encrypted connections.

• Certificate validity — is the certificate present and not expired?
• HTTPS redirect — does HTTP automatically redirect to HTTPS?
• HSTS header — is Strict-Transport-Security configured?

Checks for HTTP security headers that protect users from common attacks like clickjacking, XSS, and content injection.

• Content-Security-Policy — controls which resources the browser can load
• X-Frame-Options — prevents your site from being embedded in iframes (clickjacking)
• X-Content-Type-Options — prevents MIME-type sniffing
• Referrer-Policy, Permissions-Policy, HSTS, X-XSS-Protection, Server header

Monitors your product's availability with hourly pings and calculates reliability metrics over a rolling 30-day window.

• 30-day uptime percentage — what fraction of pings got a successful response (40 pts)
• Average response time — how fast your server responds (25 pts)
• Last 24h availability — recent reliability snapshot (20 pts)
• Consistency — number of days with zero outages (15 pts)

Measures how quickly your product loads and whether it follows performance best practices.

• Time to First Byte (TTFB) — how fast the server starts responding
• Compression — is gzip/brotli enabled?
• Redirect chains — unnecessary redirects that slow down load times
• HTTP version — is the server using HTTP/2 or HTTP/3?

Verifies your DNS configuration and email security records — signals that you manage your infrastructure responsibly.

• DNSSEC — DNS response authenticity validation
• SPF record — specifies which mail servers can send email for your domain
• DMARC record — email authentication policy (scored by policy strength)
• CAA record — controls which certificate authorities can issue certs for your domain

Checks for the legal and privacy signals that users expect from a trustworthy product.

• Privacy policy — is there an accessible privacy policy page?
• Terms of service — is there a terms/ToS page?
• Cookie consent — detects 20+ cookie consent providers
• Contact information — can users reach a real person?

Evaluates how many tools the server exposes and whether it follows the principle of least privilege.

• Tool count — fewer, focused tools are better than sprawling APIs
• Scope breadth — file, network, database, shell, and crypto domains
• Input validation — uses Zod, Joi, or MCP inputSchema
• Least privilege — no eval(), exec(), or dangerous patterns

Checks whether the server implements proper authentication and handles secrets safely.

• Auth middleware — is authentication implemented?
• Auth approach — OAuth, API keys, bearer tokens
• Secret handling — environment variables, not hardcoded values
• Transport config — stdio vs HTTP binding

Analyzes the project's dependency tree for known vulnerabilities (via the OSV database), staleness, and supply chain hygiene.

• Known vulnerabilities — cross-referenced against the OSV database
• Dependency count — lean dependency trees are safer
• Freshness — are dependencies reasonably up to date?
• Lockfile — is there a lockfile for reproducible builds?

Scans source code for hardcoded secrets, injection risks, and error handling patterns. Uses a rule engine with 221 rules covering 129 services.

• No hardcoded secrets — detects API keys, tokens, and credentials (AWS, Stripe, GitHub, Slack, and 125+ more)
• Injection safety — no unsanitized user input in shell commands or queries
• Error handling — language-aware detection (try/catch, Result types, if err patterns)
• Network safety — safe HTTP patterns and connection handling

Evaluates overall project quality signals — the kind of practices that indicate a well-maintained codebase.

• Type safety — TypeScript, type annotations, or language-level type systems
• Tests present — per-language test detection
• License — is there an open-source license?
• Documentation — README, inline docs, API documentation
• Project activity — recent commits and maintenance signals