Antoine Duno
Founder of ZeriFlow · 10 years fullstack engineering · About the author
Key Takeaways
- Most websites start their first security scan between 50 and 65 out of 100. Getting to 90+ is achievable in a single day if you know which fixes have the highest point impact. This guide walks through every major scoring category, the typical point cost of each failure, and the exact fix for each.
- Includes copy-paste code examples and step-by-step instructions.
- Free automated scan available to verify your implementation.
How to Improve Your Website Security Score: From 60 to 90+ in One Day
The first time most developers run a website security scan, they see a score somewhere between 50 and 65 out of 100. The good news is that the gap between 60 and 90 is almost entirely made up of configuration fixes — not code changes.
This guide is the prioritized fix list you need to work through that gap efficiently. Every fix is mapped to its typical point impact, the time it takes, and the exact implementation steps.
Start Here: Run a Baseline Scan
Before fixing anything, you need your actual score and a list of exactly what is failing. Run a free scan at zeriflow.com/free-scan — no account required. You will have a /100 score broken down by category in under 60 seconds.
Your score breakdown will look something like this:
| Category | Typical score before optimization |
|---|---|
| TLS/HTTPS | 70–90/100 |
| Security Headers | 20–50/100 |
| Cookies | 40–70/100 |
| Email Security | 20–60/100 |
| DNS | 70–90/100 |
| Content Security | 60–80/100 |
| Privacy | 50–80/100 |
The categories with the lowest scores are where you recover the most points fastest.
Category 1: Security Headers (Impact: 20–25 points)
Security headers are the highest-leverage fix available. A site with no security headers configured often scores 20–30/100 in this category. A fully configured site scores 95–100/100. That is a 15–25 point swing in the overall score.
What drops your score
| Missing header | Typical point cost |
|---|---|
| Content-Security-Policy | -8 to -12 pts |
| Strict-Transport-Security | -5 to -8 pts |
| X-Frame-Options | -3 to -5 pts |
| Permissions-Policy | -2 to -4 pts |
| Referrer-Policy | -2 to -3 pts |
| X-Content-Type-Options | -1 to -2 pts |
| Cross-Origin-Opener-Policy | -1 to -2 pts |
The fix
For Next.js, add all headers in next.config.js:
// next.config.js
const securityHeaders = [
{ key: "Strict-Transport-Security", value: "max-age=63072000; includeSubDomains; preload" },
{ key: "X-Frame-Options", value: "DENY" },
{ key: "X-Content-Type-Options", value: "nosniff" },
{ key: "Referrer-Policy", value: "strict-origin-when-cross-origin" },
{ key: "Permissions-Policy", value: "camera=(), microphone=(), geolocation=()" },
{ key: "Cross-Origin-Opener-Policy", value: "same-origin" },
{
key: "Content-Security-Policy",
value: [
"default-src ''self''",
"script-src ''self'' ''unsafe-inline''",
"style-src ''self'' ''unsafe-inline''",
"img-src ''self'' data: https:",
"font-src ''self'' https://fonts.gstatic.com",
"connect-src ''self''",
"frame-ancestors ''none''",
].join("; "),
},
];
const nextConfig = {
async headers() {
return [{ source: "/(.*)", headers: securityHeaders }];
},
};
module.exports = nextConfig;For Express:
const helmet = require("helmet");
app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["''self''"],
scriptSrc: ["''self''"],
styleSrc: ["''self''", "''unsafe-inline''"],
imgSrc: ["''self''", "data:", "https:"],
fontSrc: ["''self''", "https://fonts.gstatic.com"],
connectSrc: ["''self''"],
frameAncestors: ["''none''"],
},
},
hsts: {
maxAge: 63072000,
includeSubDomains: true,
preload: true,
},
referrerPolicy: { policy: "strict-origin-when-cross-origin" },
})
);Time to fix: 30–60 minutes Point recovery: 15–25 points
Category 2: TLS/HTTPS Configuration (Impact: 10–15 points)
TLS issues are common on sites hosted on shared hosting, older VPS setups, or cloud platforms with default configurations. The good news is that most TLS fixes are a single setting change in your hosting control panel.
What drops your score
| TLS issue | Typical point cost |
|---|---|
| TLS 1.0 still enabled | -5 to -8 pts |
| TLS 1.1 still enabled | -3 to -5 pts |
| Weak cipher suites (RC4, 3DES) | -3 to -5 pts |
| Certificate chain issues | -3 to -5 pts |
| Missing HSTS header | -3 to -5 pts (also in headers) |
| Certificate expiry within 30 days | -2 to -4 pts |
How to check your TLS grade
Run your domain through ssllabs.com/ssltest. An A or A+ grade means your TLS configuration is not costing you points. A B or lower grade identifies the specific issues.
The fix by platform
Nginx:
# /etc/nginx/nginx.conf or your site config
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256;
ssl_prefer_server_ciphers off;
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
add_header Strict-Transport-Security "max-age=63072000" always;Apache:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:...
SSLHonorCipherOrder off
SSLSessionTickets off
Header always set Strict-Transport-Security "max-age=63072000"Vercel / Netlify / Cloudflare: TLS configuration is managed by the platform. Enable "Modern TLS" or "TLS 1.2+" in your dashboard settings. Cloudflare users: set "Minimum TLS Version" to 1.2 in SSL/TLS → Edge Certificates.
Time to fix: 15–30 minutes (mostly platform settings) Point recovery: 8–15 points
Category 3: Cookie Security (Impact: 5–10 points)
Missing cookie security flags are easy to fix and often affect the score by 5–10 points depending on how many cookies your application sets.
What drops your score
| Cookie issue | Typical point cost |
|---|---|
| Missing HttpOnly on session cookie | -3 to -5 pts |
| Missing Secure flag in production | -2 to -4 pts |
| Missing SameSite attribute | -1 to -3 pts |
| SameSite=None without Secure | -1 to -2 pts |
The fix
The key is knowing which cookies you set. Use browser DevTools → Application → Cookies to list every cookie your site sets.
For each session or authentication cookie, ensure all three flags are set:
// Express session
app.use(session({
secret: process.env.SESSION_SECRET,
cookie: {
httpOnly: true,
secure: process.env.NODE_ENV === "production",
sameSite: "lax",
maxAge: 7 * 24 * 60 * 60 * 1000,
},
}));For third-party cookies set by analytics or tracking tools: these are outside your direct control, but you can document them and ensure your own first-party session cookies are correctly configured.
Time to fix: 20–30 minutes Point recovery: 5–10 points
Category 4: Email Security — SPF, DKIM, DMARC (Impact: 10–15 points)
Email authentication records are pure DNS configuration. No code changes, no deployments. Yet they are missing on a large percentage of domains.
What drops your score
| Missing record | Typical point cost |
|---|---|
| No DMARC record | -5 to -8 pts |
| DMARC p=none (no enforcement) | -2 to -3 pts |
| No SPF record | -3 to -5 pts |
| SPF too permissive (+all) | -1 to -2 pts |
| No DKIM record | -2 to -4 pts |
The fix
SPF — add a TXT record at your root domain:
v=spf1 include:_spf.google.com include:sendgrid.net -allDKIM — generated by your email provider (Google Workspace, SendGrid, etc.) — follow their DNS record setup guide.
DMARC — start with monitoring mode:
Type: TXT
Name: _dmarc.yourdomain.com
Value: v=DMARC1; p=none; rua=mailto:dmarc@yourdomain.comAfter 2–4 weeks of collecting DMARC reports and verifying all legitimate email is authenticated, move to:
v=DMARC1; p=quarantine; rua=mailto:dmarc@yourdomain.comAnd eventually:
v=DMARC1; p=reject; rua=mailto:dmarc@yourdomain.comTime to fix: 30–60 minutes (DNS propagation takes up to 48 hours but is not your time) Point recovery: 8–12 points
Quick Wins vs Longer Fixes
Quick wins (under 30 minutes each)
These fixes require minimal research and have immediate impact:
- 1Add X-Content-Type-Options: nosniff — one line in any web server or framework config
- 2Add X-Frame-Options: DENY — one line, immediate clickjacking protection
- 3Enable HSTS — one header line, but verify your HTTPS is working first
- 4Add Referrer-Policy: strict-origin-when-cross-origin — one line
- 5Fix missing SameSite on session cookie — one option in your session middleware
Medium fixes (30–90 minutes)
- 1Configure CSP header — requires identifying all resource sources for your app
- 2Add Permissions-Policy — requires knowing which browser APIs your app uses
- 3Fix TLS protocol versions — hosting configuration, may require testing
- 4Add SPF record — requires identifying all email sending services
Longer fixes (2–8 hours, or async)
- 1DKIM setup — requires coordination with each email sending service
- 2DMARC implementation — requires monitoring period before enforcement
- 3Full CSP with nonces — requires App Router middleware setup and testing
- 4HSTS preload submission — requires verifying all subdomains serve HTTPS
Before and After: A Realistic Example
Here is what a typical SaaS application score looks like before and after a one-day optimization sprint:
| Category | Before | After | Gain |
|---|---|---|---|
| Security Headers | 25/100 | 90/100 | +65 |
| TLS | 75/100 | 95/100 | +20 |
| Cookies | 50/100 | 90/100 | +40 |
| Email Security | 30/100 | 70/100 | +40 |
| DNS | 80/100 | 85/100 | +5 |
| Overall | 62/100 | 88/100 | +26 |
These numbers are real ranges based on common SaaS application profiles. Most of the gains come from the security headers category, which is pure configuration.
Getting from 88 to 95+ typically requires DMARC enforcement (monitoring period needed), full nonce-based CSP (more development effort), and subdomain coverage (broader infrastructure changes).
Maintaining Your Score Over Time
A security score is a snapshot, not a permanent state. Your score can drop when:
- A certificate expires
- A hosting provider enables a deprecated TLS version by default after an update
- A new cookie is added without security flags
- DNS records are modified and DMARC alignment breaks
- A new CSP-violating third-party script is added
Set up automated monitoring to alert you when your score drops. ZeriFlow''s monitoring feature runs daily or weekly scans and sends alerts via email, Slack, or Discord when findings change. This turns security from a quarterly event into a continuous signal.
The 90-Minute Path to 90+
If you have a standard Next.js or Express application with no security headers currently configured, here is a realistic schedule:
0–30 min: Run ZeriFlow baseline scan, take screenshots of current score, add all 7 security headers to next.config.js or Express/helmet
30–60 min: Fix cookie security flags in session middleware, run a second scan to confirm headers are correct
60–90 min: Add SPF record and DKIM records for your email provider(s), add DMARC p=none record
After DNS propagates (24–48 hours): Run a final scan to confirm email authentication is passing. Your score should be 85–92+ depending on TLS configuration.
The only thing that keeps most applications below 90 at this point is TLS configuration controlled by the hosting provider and DMARC still in p=none monitoring mode.
Start your baseline scan now at zeriflow.com/free-scan — it takes 60 seconds and shows you exactly which fixes will have the most impact for your specific site.
Summary
Improving your website security score from 60 to 90+ in a day is achievable for most applications because the biggest score gaps are in security headers (20–25 points), email authentication (10–15 points), TLS configuration (8–15 points), and cookie security (5–10 points). All of these are configuration fixes, not architectural changes. Start with a free ZeriFlow scan to get your exact baseline and prioritized fix list, work through headers and cookies first (highest impact, fastest fixes), then tackle email authentication records in DNS. Set up monitoring so your score does not silently regress after future deployments.