I had a site with HTTPS, proper headers, real security work done. My algorithm gave it an F in security because it was missing some obscure headers. That's absurd. Conversely, I had sites gaming the system: privacy policy pages and cookie banners just to boost their "essentials" score without fixing anything real.
What I built
Three mechanisms that make scores reflect reality:
- Floors: minimum scores when baseline protections exist. If you have HTTPS and basic headers, you can't get below a certain threshold
- Ceilings: caps when critical weaknesses exist. A site with no SSL can't score above a certain level no matter what else it does well
- Anti-gaming caps: so you can't policy-page your way to an A. Having the right pages doesn't substitute for actually fixing issues
The insight
Scores aren't math. They're business logic. A score needs to answer "Should I hire this company?" not "Did they check every box?" The moment I started thinking about scores as business decisions rather than arithmetic, everything clicked.
Scores aren't math. They're business logic.