Renew certificates before they expire — the scan flags a shrinking days-until-expiry window, not just an already-expired cert.
Move off legacy TLS protocols; modern TLS versions are what the scan expects to see negotiated.
Use a certificate from a trusted chain — a self-signed or untrusted-chain cert is flagged directly.
HTTP security headers
Set Strict-Transport-Security with a max-age of at least ~180 days so HSTS is actually scored as good, not just present.
Add a Content-Security-Policy — its absence is one of the larger scoring penalties.
Set X-Content-Type-Options: nosniff, a restrictive X-Frame-Options (or frame-ancestors in your CSP), a Referrer-Policy, and a Permissions-Policy.
DNS hygiene
Publish an SPF record so mail claiming to be from your domain can be validated.
Publish a DMARC record, and move its policy beyond monitor-only (p=none) once you trust your SPF/DKIM setup.
Add a DKIM record at the selector your mail provider uses.
Add a CAA record to restrict which certificate authorities can issue for your domain.
Consider DNSSEC if your registrar and DNS provider support it.
Cookies & consent
Set the Secure flag on every cookie so it's never sent over plain HTTP.
Set HttpOnly on cookies that don't need JavaScript access, to limit XSS exposure.
Set a restrictive SameSite value instead of leaving it default or None.
If you set cookies before any consent interaction, that's flagged directly — align cookie-setting with your actual consent banner.
Mixed content & exposure
Serve every subresource over HTTPS on an HTTPS page — even one http:// request is flagged as mixed content.
Make sure .git and .env are not reachable at your site root — either is a serious, directly-flagged exposure.
Publish a /.well-known/security.txt — its presence is scored as a positive signal, not just its absence as a gap.
Accessibility
The scan runs an automated accessibility pass (axe-core) on the page as loaded — it catches machine-detectable issues, not full manual WCAG conformance.
Prioritize violations by impact and how many elements they affect — that's exactly how the score is weighted.
Automated results don't replace a manual accessibility review; treat this as a first pass, not a certification.
What the scanner never does
It performs passive, browser-equivalent checks only — one page load, the same requests a normal visitor's browser would make.
It doesn't attempt exploitation, brute force, or anything beyond a single GET for the exposure checks.
It won't scan a private, internal, or loopback address — targets are validated before anything runs.
Run the scan again after you fix these to see the score and findings change.