Skip to main content

Browser security

Mozilla Observatory grade

Mozilla's web security observatory grade. Target: A+.

Healthy

grade B+ · 1 excluded

Checked 5/30/2026, 4:00:51 PM · Source: Scheduled probe

Mozilla web-security observatory grade. Score: 80. 9/10 tests passed. Target is A or above.

What this check means

A Mozilla-operated security observatory grades sites against a battery of HTTP-level security checks. Different methodology to the headers grade above; we track both as a defence in depth.

Documented exclusions (1)

1 finding type is deliberately not actioned here. Grouped by reason below — we publish them so the trade-offs and false-positive suppressions are visible and reviewable, not hidden.

Trade-offs · 1

Recommended setting would break legitimate functionality. We accept the finding instead.

  • content-security-policy

    OWASP requires CSP without `unsafe-inline` or any `eval` family directive. Two intentional deviations: (1) `unsafe-inline` — Next.js's React hydration requires inline `<script>` tags; eliminating it needs a per-request nonce-based CSP threaded through every render path (substantial refactor that also has to coexist with our 6 third-party scripts: Cloudflare Insights, Sentry, Auth0, Google Ads, Microsoft Clarity, Google Analytics). (2) `wasm-unsafe-eval` — required in production for client-side PDF export (@react-pdf/renderer compiles a WASM font/layout module via WebAssembly.instantiate). This is the narrow modern directive that permits WASM compile/instantiate ONLY — it does NOT permit JS eval(), new Function(), or string-form setTimeout. Removing it breaks PDF export with a CompileError. The broad `unsafe-eval` remains absent from the production CSP.

Recent runs

WhenResultSource
5/30/2026, 4:00:51 PMgrade B+ · 1 excludedScheduled probe
5/30/2026, 3:00:49 PMgrade B+ · 1 excludedScheduled probe
5/30/2026, 2:00:48 PMgrade B+ · 1 excludedScheduled probe
5/30/2026, 1:00:45 PMgrade B+ · 1 excludedScheduled probe
5/30/2026, 12:00:47 PMgrade B+ · 1 excludedScheduled probe
5/30/2026, 11:01:04 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 10:01:06 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 9:01:06 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 8:01:07 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 7:01:06 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 6:01:05 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 5:01:04 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 4:01:06 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 3:01:05 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 2:01:06 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 1:01:05 AMgrade B+ · 1 excludedScheduled probe
5/30/2026, 12:01:05 AMgrade B+ · 1 excludedScheduled probe
5/29/2026, 11:01:05 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 10:01:06 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 9:01:07 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 8:01:04 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 7:00:56 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 6:00:56 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 5:00:58 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 4:00:56 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 3:00:56 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 2:00:58 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 1:00:57 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 12:00:58 PMgrade B+ · 1 excludedScheduled probe
5/29/2026, 11:00:56 AMgrade B+ · 1 excludedScheduled probe

Need additional detail (sanitised report, supporting evidence)? security@theartofcto.com