Appraise.net Earned an A+ in Website Security. Why It Matters for Your Domains
In the domain industry and many other, security is often viewed as an "unnecessary expense" -- until it bites. By the time an investigation shows your data was leaked or your account was hijacked, the damage is done. If you conduct your business entirely online, a security breach isn't just a setback; it's a total loss event.
When you use a domain appraisal tool, you're sharing intellectual property: your domain portfolio, your investment strategy, your niche interests. You're trusting that site with data that has real financial implications.
We asked ourselves a simple question: How well do domain industry platforms actually protect their users?
To find out, we ran Appraise.net -- and a collection of popular registrars, marketplaces, and domaining tools -- through the Mozilla HTTP Observatory, a free, open-source security scanner developed by Mozilla (the makers of Firefox). The Observatory tests websites against established security best practices and assigns a letter grade from F to A+.
Appraise.net scored an A+ with 105 points. In an industry where "D" is the standard, here's what that means, why it matters, and how the rest of the industry stacks up.
What Is the Mozilla HTTP Observatory?
The HTTP Observatory was originally built as an internal tool for Mozilla's own engineers in 2016. It proved so useful that they released it publicly, and it has since been used to scan over 6.9 million websites a total of 47 million times. In 2024, it found a permanent home on MDN Web Docs, Mozilla's widely respected developer resource.
The Observatory evaluates your website's HTTP security headers and configuration across 10 specific tests. Every site starts with a baseline score of 100, with penalties for missing protections and bonuses for going above and beyond. A score of 90 or higher earns an A; bonus points on top of that can push you into A+ territory.
It's worth noting what the Observatory's own documentation says about the broader landscape: the vast majority of websites scanned receive an F. An A+ puts a site in rare company.
The "Open Tab" Threat: Why Your Browser Is a Battleground
Most users don't realize that their web browser is a shared environment. If you have Appraise.net open in one tab and a poorly secured "free" tool or a malicious forum open in another, that second tab can attempt to "reach over" and interact with your other sessions.
At Appraise.net, we don't know (and don't care) if you own the domains you're appraising. We aren't your registrar. But we are responsible for protecting your session while you're with us. If you are using our service alongside other potentially malicious sites, our security headers act as a containment field. We ensure that what happens on Appraise.net stays on Appraise.net, protecting your credentials and strategy from the "noisy neighbors" in your other browser tabs.
What the Observatory Tests And Why Each Test Protects You
Here's a breakdown of every test the Observatory runs, what it checks, what attack it defends against, and how Appraise.net performed.
1. The Hijack Shield (Content Security Policy)
What it is: A set of rules the site sends to your browser dictating exactly which scripts, styles, images, and other resources are allowed to load -- and from where.
The Risk: This is the primary defense against Cross-Site Scripting (XSS) attacks, one of the most common web vulnerabilities. In an XSS attack, a malicious script is injected into a page you're viewing. Without CSP, your browser has no way to distinguish legitimate code from an attacker's payload. That injected script could steal your session, redirect you to a phishing page, or capture data you enter on the site.
Our Defense: Our CSP gives your browser a "whitelist." It says: "Only run code from these specific, trusted sources. Reject everything else."
Appraise.net result: ✅ Passed -- CSP is implemented with form-action locked down to prevent form hijacking. The Observatory noted that style-src includes 'unsafe-inline', which is common for sites using modern CSS frameworks, and recommends tightening it further -- something we're actively working on.
2. Cookies
What it is: Checks whether cookies (small data files stored in your browser) are configured with proper security flags: Secure (only sent over HTTPS), HttpOnly (inaccessible to JavaScript), and SameSite (restricted from being sent in cross-site requests).
The Risk: Cookies often contain your session token -- the proof that you're logged in. If a cookie isn't marked Secure, it could be intercepted over an unencrypted connection. Without HttpOnly, a successful XSS attack could steal your session outright. Missing SameSite leaves you vulnerable to Cross-Site Request Forgery (CSRF), where an attacker tricks your browser into performing actions on a site where you're already authenticated.
Appraise.net result: ✅ No cookies detected -- Appraise.net's architecture avoids setting tracking or session cookies during standard use, which eliminates this entire category of risk.
3. Cross-Origin Resource Sharing (CORS)
What it is: CORS headers control whether other websites can read data from your site's responses. Misconfigured CORS can allow any website on the internet to make requests to a service and read the responses as if they were the authenticated user.
The Risk: If a domain tool had overly permissive CORS settings and you were logged in, a malicious site you happened to visit could silently query that tool's API and extract your portfolio data, account details, or appraisal history -- all without your knowledge.
Appraise.net result: ✅ Passed -- Content is not visible via cross-origin resource sharing. Other sites cannot read Appraise.net responses.
4. The "Coffee Shop" Defense: Redirection
What it is: Tests whether the site properly redirects HTTP traffic to HTTPS, ensuring the entire connection is encrypted from the very first request.
The Risk: If you type appraise.net into your browser without specifying https://, the initial request goes out unencrypted. An attacker on the same network (coffee shop Wi-Fi, hotel, airport) could intercept that first request and redirect you to a fake version of the site. Proper redirection ensures that even if your initial request is HTTP, you're immediately and seamlessly moved to the encrypted version.
Appraise.net result: ✅ Passed -- Initial redirection is to HTTPS on the same host, and the final destination is HTTPS.
5. Referrer Policy
What it is: Controls how much information your browser shares about where you came from when you click a link or load a resource. For example, if you navigate from a page showing your domain portfolio to an external site, the Referrer header could leak the URL of that portfolio page.
The Risk: URLs can contain sensitive information -- search queries, account identifiers, internal page paths. A strict Referrer Policy prevents this data from being leaked to third-party sites you navigate to, or to external resources (like analytics scripts or CDN-hosted libraries) loaded by the page.
Appraise.net result: ✅ Passed (+5 bonus) -- Referrer-Policy is set to strict-origin-when-cross-origin, which shares only the domain name (not the full URL path) when navigating to external sites, and shares nothing at all when downgrading from HTTPS to HTTP.
6. Strict Transport Security (HSTS)
What it is: An HTTP header that tells your browser: "For the next X months, never even attempt to connect to this site over plain HTTP. Always use HTTPS, no exceptions."
The Risk: On public Wi-Fi, an attacker can intercept your connection and "downgrade" it to an unencrypted version to see everything you type (SSL Stripping). This closes the window left open by redirection alone. Without HSTS, every single visit starts with a brief, vulnerable HTTP moment before the redirect kicks in.
Our Defense: Strict Transport Security (HSTS) tells your browser: "Never even attempt to connect via plain HTTP. Use encryption from the first millisecond." With HSTS, your browser remembers the instruction and connects securely from the very first millisecond. This is your strongest defense against SSL-stripping attacks.
Appraise.net result: ✅ Passed -- HSTS header is set to a minimum of six months (15,768,000 seconds). The Observatory recommends considering HSTS preloading (submitting to browser preload lists so that even the very first visit is forced to HTTPS), which we're evaluating.
7. Subresource Integrity (SRI)
What it is: A mechanism that lets the site specify an expected cryptographic hash for external scripts and stylesheets. When your browser downloads the resource, it computes its own hash and compares it to the expected value. If they don't match, the resource is blocked.
The Risk: Imagine a popular JavaScript library hosted on a CDN gets compromised -- the attacker modifies the file to include malicious code. Every site loading that library would suddenly be serving the attacker's code to its users. SRI prevents this by ensuring that if even a single byte of the external file changes, your browser refuses to execute it.
Appraise.net result: ⚠️ Not yet implemented -- This is the one area where we haven't yet achieved full compliance. All our external scripts are loaded over HTTPS (so they're protected in transit), but we haven't yet added hash verification. This is on our roadmap, when a solution avails itself for Google Analytics; the library is essential for tracking marketing efficiency and user engagement. It costs us 5 points, and implementing it would bring our score even higher.
8. X-Content-Type-Options
What it is: A simple but important header (nosniff) that tells browsers to respect the declared content type of a file and not try to guess what it is.
The Risk: Without this header, browsers may "sniff" a file's content and decide to treat it differently than intended. An attacker could upload a file that looks like an image but contains JavaScript. Without nosniff, the browser might execute the JavaScript. With it, the browser follows the server's instructions: "I said this is an image, treat it as an image, period."
Appraise.net result: ✅ Passed -- X-Content-Type-Options is set to nosniff.
9. The "Ghost Click" Guard (X-Frame-Options / Clickjacking Protection)
What it is: Controls whether your site can be embedded inside a frame or iframe on another website.
The Risk: Clickjacking. An attacker embeds Appraise.net in an invisible window on their own site, overlays it with deceptive content, and tricks you into clicking buttons on our platform that you can't see. You think you're clicking "Play Video" but you're actually clicking "Confirm Transfer" or "Grant Access" on the hidden site underneath.
Our Defense: We forbid our site from being "framed" by anyone else, preventing this entire class of deception.
Appraise.net result: ✅ Passed (+5 bonus) -- Frame embedding is blocked via the CSP frame-ancestors directive, which is the modern, more flexible successor to the older X-Frame-Options header.
10. Cross-Origin Resource Policy (CORP)
What it is: An additional layer that controls whether other origins can embed or fetch resources from your site (images, scripts, etc.).
The Risk: This works alongside CORS to provide defense-in-depth against speculative side-channel attacks (like Spectre) and unauthorized resource embedding.
Appraise.net result: ℹ️ Not implemented (defaults to cross-origin) -- This is an informational test and does not affect the score. The default behavior is standard for most websites.
Appraise.net's Score Summary
| Test | Score | Status |
|---|---|---|
| Content Security Policy | 0 | ✅ Passed |
| Cookies | -- | ✅ No cookies detected |
| CORS | 0 | ✅ Passed |
| Redirection | 0 | ✅ Passed |
| Referrer Policy | +5 | ✅ Passed (Bonus) |
| Strict Transport Security | 0 | ✅ Passed |
| Subresource Integrity | −5 | ⚠️ Google Analytics external library is acceptable exception |
| X-Content-Type-Options | 0 | ✅ Passed |
| X-Frame-Options | +5 | ✅ Passed (Bonus) |
| CORP | -- | ℹ️ Informational |
| Total | 105/100 | Grade: A+ |
How Does the Domain Industry Compare?
We ran the industry's biggest names through the same Mozilla Observatory scan. The results show a significant gap between marketing promises and technical reality.
Notes:
A low grade doesn't mean a site is hacked, but it means they lack the modern "armor" that browsers use to protect you from common web attacks, and many of these fixes are straightforward to implement.
Click any platform name below to see the current score, which may have improved since publication.
Registrars
| Platform | Grade | Score | Tests Passed |
|---|---|---|---|
| Above.com | F | 0/100 | 4/10 |
| Atom.com | B | 75/100 | 9/10 |
| Dynadot.com | F | 0/100 | 6/10 |
| Epik.com | F | 5/100 | 4/10 |
| GNAME.com | F | 0/100 | 3/10 |
| DCC.GoDaddy.com | F | 0/100 | 4/10 |
| Name.com | C | 50/100 | 6/10 |
| NameBright.com | D- | 25/100 | 7/10 |
| Namecheap.com | B | 70/100 | 8/10 |
| NameSilo.com | C | 50/100 | 7/10 |
| NetworkSolutions.com | B | 75/100 | 9/10 |
| Porkbun.com | F | 0/100 | 6/10 |
| Sav.com | D+ | 40/100 | 5/10 |
| Spaceship.com | B | 70/100 | 8/10 |
| UnstoppableDomains.com | B | 75/100 | 9/10 |
Marketplaces
| Platform | Grade | Score | Tests Passed |
|---|---|---|---|
| Above.com | F | 0/100 | 4/10 |
| Afternic.com | D | 30/100 | 5/10 |
| Atom.com | B | 75/100 | 9/10 |
| Auctions.GoDaddy.com | D | 30/100 | 6/10 |
| BrandBucket.com | D+ | 40/100 | 7/10 |
| DropCatch.com | C | 50/100 | 6/10 |
| Dynadot.com | F | 0/100 | 6/10 |
| Efty.com | D | 35/100 | 6/10 |
| Epik.com | F | 5/100 | 4/10 |
| NameJet.com | C | 55/100 | 8/10 |
| Park.io | C- | 45/100 | 6/10 |
| Porkbun.com | F | 0/100 | 6/10 |
| Saw.com | C | 50/100 | 7/10 |
| Sedo.com | C+ | 60/100 | 7/10 |
| SnapNames.com | B | 75/100 | 9/10 |
| UnstoppableDomains.com | B | 75/100 | 9/10 |
Domaining Tools
| Platform | Grade | Score | Tests Passed |
|---|---|---|---|
| Ahrefs.com | B | 75/100 | 8/10 |
| Appraise.net | A+ | 105/100 | 9/10 |
| Catches.io | C- | 45/100 | 6/10 |
| DNX.com | D- | 25/100 | 5/10 |
| DomainIQ.com | F | 10/100 | 5/10 |
| Domainr.com | F | 15/100 | 4/10 |
| DomainTools.com | B | 70/100 | 7/10 |
| DotDB.com | F | 0/100 | 4/10 |
| Estibot.com | N/A | Request failed | N/A |
| ExpiredDomains.net | B | 75/100 | 8/10 |
| NameBio.com | C | 50/100 | 7/10 |
| NamePros.com | C | 55/100 | 7/10 |
| SEMrush.com | B- | 65/100 | 7/10 |
| ParkingCrew.com | C | 50/100 | 7/10 |
Domaining Blogs and Forums
| Platform | Grade | Score | Tests Passed |
|---|---|---|---|
| DNForum.com | D- | 25/100 | 5/10 |
| DNJournal.com | C | 30/100 | 6/10 |
| DomainInvesting.com | C | 55/100 | 7/10 |
| DomainGang.com | F | 5/100 | 4/10 |
| DomainNameWire.com | F | 0/100 | 5/10 |
| DomainSherpa.com | F | 0/100 | 5/10 |
| NamePros.com | C | 55/100 | 7/10 |
| OnlineDomain.com | F | 0/100 | 5/10 |
| TheDomains.com | C- | 45/100 | 6/10 |
Site Building
Not directly related, but to see where notable others stand
| Platform | Grade | Score | Tests Passed |
|---|---|---|---|
| Shopify.com | C | 50/100 | 7/10 |
| Wordpress.com | D- | 25/100 | 8/10 |
Beyond the Site: DNS Security and ICANN Participation
Securing the website is the front door; securing the Domain Name System (DNS) is the foundation. If the DNS is compromised, you can be redirected to a fake site before you even reach us.
Scanning individual sites is only one layer of protecting users. The real foundation of trust online is the security, stability, and resilience of the Domain Name System itself -- the infrastructure that makes every domain query work. ICANN, the global coordinator of the DNS, has made DNS security and abuse mitigation a core priority through dedicated programs, measurement initiatives, and contractual obligations for registries and registrars.
Over the past few years, ICANN has launched and expanded efforts such as the DNS Abuse Mitigation Program and DNS Security Threat Mitigation Program, which provide data, tools, and enforcement around issues like phishing, malware, botnets, and other DNS abuse. These efforts are backed by concrete actions, including hundreds of investigations into potential violations of new DNS abuse mitigation requirements in registry and registrar contracts. ICANN has also promoted operational best practices for DNS operators through initiatives like KINDNS, which encourages DNS providers to voluntarily adopt stronger security norms for authoritative and recursive services.
This is why our company, Domaincracy LLC, is a member of the ICANN Business Constituency (BC). We participate in the multistakeholder model to influence how DNS security standards evolve. By engaging with programs like the DNS Abuse Mitigation Program, we help steer the industry toward a future where phishing, malware, and botnets are aggressively mitigated at the root level. The BC gives businesses that rely on domain names and DNS infrastructure a direct voice in policy discussions, contract updates, and security-focused initiatives.
If you run a registrar, marketplace, DNS service, SaaS platform, or any web-facing business that depends on domains resolving correctly and securely, consider joining the ICANN BC or getting involved in ICANN community work through the groups that fit your role. You'll not only stay ahead of incoming security and abuse obligations, you'll help steer them in a direction that protects end users, preserves innovation, and reflects real-world operational realities.
A Note on Honesty
Trust isn't built by hiding caveats. We want to be upfront about what the Observatory does and does not measure. Mozilla themselves are clear about this: the Observatory tests preventative measures against XSS attacks, man-in-the-middle attacks, cross-domain information leakage, insecure cookies, CDN compromises, and improperly issued certificates.
It does not test for:
- Weak user passwords
- Social engineering (phishing emails)
- Outdated software or SQL injection vulnerabilities
- Password storage practices
- Vulnerabilities in third-party plugins
A good Observatory grade doesn't mean a site is invulnerable -- it means the site has implemented the foundational security headers that modern browsers rely on to protect users. Security is a partnership. We provide the fortress; you must keep your "key" (password) safe.
We share this because trust isn't built by hiding caveats. It's built by showing you exactly where we stand and letting you judge for yourself.
Why We Care
At Appraise.net, many of our users are professional domain investors managing portfolios worth millions of dollars. We know that for professional investors, domains are retirement funds and business foundations. When you paste a list of domains into our tool, you're revealing strategic information about your existing or potential investments. When you use our portfolio analyzer, you're sharing financial data.
We believe that if you're trusting us with that information, the least we can do is protect the connection between your browser and our servers with every tool available. An A+ on the Mozilla Observatory is one measurable way we demonstrate that commitment.
Try it yourself. Visit the Mozilla HTTP Observatory and scan any site -- including ours. The results are public and verifiable. No marketing spin required. If your current tools are scoring an F, ask yourself: What else are they cutting corners on?
A Message to the Industry
We didn't publish this to embarrass anyone. When we first ran Appraise.net through the Observatory during development, we scored a D, just like many of the platforms listed above. It took us roughly one dedicated afternoon to reach A+. The level of effort will vary depending on your site's complexity, framework, and deployment processes, but the Observatory tells you exactly what's missing and Mozilla's documentation explains how to fix each one.
We plan to re-scan every platform listed here in 60 days and update the tables with current scores. If you've made improvements before then, let us know -- we'll re-scan and update your entry on the spot. We'd love nothing more than to publish a follow-up where the entire industry is scoring B or higher.
A rising tide lifts all boats -- when every platform in our industry earns an A, the entire domain ecosystem becomes harder to attack.
If you're a registrar, marketplace, or tool operator and want to compare notes on implementation, we're happy to share what we've learned. Reach out to us at security@appraise.net -- no strings attached.