What an attacker sees before they touch your site

What is a security grade and what does an A vs an F mean?

A stranger can grade your security in two minutes. What's yours?

A security grade is a single letter that summarizes how your site looks from the outside. A through F, the same shape as a school report card, and for the same reason: it compresses a pile of individual checks into one judgment you can act on without reading all of them. It's blunt on purpose. A founder glancing at an A versus an F knows instantly whether to keep scrolling or stop everything.

The grade is built from things an outsider can already see. Which means anyone can compute it, including someone deciding whether you're worth the effort. So the question is fair: what's yours, and what would move it?

What goes into the letter

A grade is an aggregate. Underneath it sits a list of individual checks, each weighted by how much damage the underlying problem actually causes. Not every finding counts the same, and that weighting is the whole point of collapsing them into a letter.

The checks fall into rough bands of severity:

  • Critical. A downloadable /.env, a live sk_live_ or AKIA… key in your JavaScript bundle, an open /.git/config, a public S3 bucket, an exposed admin panel like phpMyAdmin or Grafana sitting on the open internet. Any one of these is a direct path in. A single critical finding caps your grade hard, because the rest of your hygiene doesn't matter much when the front door is open.
  • High. A TLS certificate expiring in days, TLS 1.0 still enabled, a session cookie missing HttpOnly or Secure, source maps shipped to production.
  • Medium. Missing HSTS, no CSP, no clickjacking protection, missing SPF, a DMARC policy stuck on p=none, no CAA record, a third-party script with no SRI.

You don't climb from F to A by fixing the easy mediums. You climb by clearing the criticals first, because that's where the weight is.

A
B
C
D
F
why this site landed on F
  • ·/.env downloadable by anyone
  • ·sk_live_ key found in app.min.js
  • ·no HTTPS redirect, no HSTS
One critical finding drags the whole grade down. The letter reflects your worst open door, not your average effort.

What an A actually means, and what it doesn't

An A means nothing showed up from the outside. No exposed files, no leaked secrets, no obviously stale and vulnerable versions, transport configured properly, email records that stop someone spoofing your domain, headers in place. It means a stranger doing reconnaissance finds nothing easy and moves on to a softer target, which is most of the value. Opportunistic attacks go where the work is lowest.

Here's what an A does not mean, and this is the honest part. It does not mean you're secure. A passive external grade can't see your authorization logic, can't test whether one user can read another's data, can't find an injection flaw or a broken checkout flow. Those live behind your login and inside your application, and a passive scan never goes there. You can hold a clean A and still have a serious business-logic hole that only a proper active pentest would surface.

So read the grade for exactly what it is: a measure of your external attack surface, the part an attacker sees before they touch you. A strong measure of that, and silent on everything else. An A says your street view is clean. It doesn't vouch for the inside of the house.

What an F is telling you

An F is rarely a long list. It's usually one or two critical findings doing all the damage, and each one comes with a concrete fix.

The grade points at the specific line. /.env is readable: block dotfiles at your web server and rotate every credential in it, because it's been public. A live secret key is in your bundle: rotate it, then move the call to a server route. An admin panel is on the open internet: put it behind auth or an IP allowlist. Each fix is a known action against a named finding, and clearing a critical typically jumps the letter several grades in one move.

That's the useful thing about the grade as a worklist. It's ranked. It tells you the one fix that matters most this week instead of handing you forty findings and letting you guess.

The letter is computable by anyone, which is the whole reason to compute it first. SurfaceCheckr runs the same checks a stranger would, weights them the same way, and hands you the grade with the ranked findings underneath, so the worst open door is sitting at the top of the list where you can close it. No agent, no access to your servers, nothing installed. We read what your site already serves to the public, so the grade speaks to your external surface and stays quiet on the authenticated routes and business logic a pentest exists to probe. Pull your letter now, while you're the one looking.

Find it before someone else does.

Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.