Score design

[cybershambles]

Obviously, the score should be rolling - you need to pass all of the lower checks to move forward.

Bad: No SSL/TLS
Mediocre: No default/no HSTS
Good: HTTPS redirected/HSTS enabled. No beast/poodle/heart-bleed.
Best: No bad ciphers/MD5/RC2. TLS-only.
Perfect: Forward Secrecy Only + New 4096-SHA265 key.

[cybershambles]

What would that list look like...

Mediocre
[] A verified TLS connection can be established.
[] A page can be successfully fetched over HTTPS.

Good
[] Strict-Transport-Security header is set but the max-age is less than 30 days.
[] HTTP site redirects to HTTPS.
[] BEAST/POODLE/Heartbleed safe

Best
[] No bad ciphers/Hashes - No RC4/MD5
[] TLS only

Perfect
[] Forward Secrecy only
[] Cert is 4096 bit key/SHA254 hash

[cybershambles]

Actually... I just figured we shouldn't flood with information... when people are failing to reach the lowest bar.. the rest is a bonus

So let's keep the three stages and bonus points the rest..

Just give Gold stars for the following.... for sites that go above and beyond
[] No bad ciphers/Hashes - No RC4/MD5
[] TLS only
[] Cert is 4096 bit key/SHA254 hash