You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<p>HTTPSWatch assigns every tracked site a rating approximating the quality of its HTTPS support. If a verified TLS connection cannot be established or no page can be loaded over TLS, the site is given the <spanclass="site-grade-bad">Bad</span> rating. The <spanclass="site-grade-mediocre">Mediocre</span> rating means a TLS connection can be established but there are quality issues with the site’s implementation of HTTPS (e.g. the HTTP site doesn’t redirect to HTTPS or the <code>Strict-Transport-Security</code> header isn’t set). If everything looks good, a <spanclass="site-grade-good">Good</span> rating is given.
<p>Many of the sites that receive a <spanclass="site-grade-mediocre">Mediocre</span> rating are only missing the HTTP <code>Strict-Transport-Security</code> header and have otherwise good HTTPS. The HSTS header is a vital component of helping visitors reach a website securely. Without HSTS, it is still possible for an attacker to intercept web traffic and prevent users from connecting over HTTPS. Thus, websites will not be rated <spanclass="site-grade-good">Good</span> unless they include HSTS.
<h2>Limitations</h2>
<p>Some sites which HTTPSWatch rates as <spanclass="site-grade-mediocre">Mediocre</span> are actually unusable in a browser. This is mostly due to <ahref="https://developer.mozilla.org/en-US/docs/Security/MixedContent">mixed content</a>, which HTTPSWatch doesn’t always detect.
