Logo
Sign In

Certification & Scoring Guide

A guide to Web-PSQC’s PSQC certification framework and global web quality standards.

Web Test Certificate

An official document certifying the result of a single Web-PSQC test item. Use it to quickly prove performance in a specific area or confirm partial improvements.

Features
  • Issued immediately for a single test result
  • PDF download + QR code verification
  • Automatic email delivery
  • Detailed record of the test environment
  • Official DevTeam signature included
Use Cases
  • Client delivery proof
  • Demonstrate technical capability in proposals/grants
  • Internal quality management
  • Show advantage over competitors
  • Before/after website improvement comparison

PSQC Master Certificate

A comprehensive certificate issued after completing all 16 tests across Performance, Security, Quality, and Content, based on a weighted aggregate score.

Grade Scale (Based on 500 samples from Google page 1)
Grade Score Distribution (est.)
A+ 900 – 1000 Top ~2%
A 800 – 899 Top ~8%
B 700 – 799 Top ~15%
C 600 – 699 Top ~25%
D 500 – 599 Top ~40%
F < 500 Remaining (100%)
Value of the PSQC Certificate
  • Objective data: Raw data and detailed environment records for each test
  • QR verification: Real‑time authenticity and source data lookup
  • Transparent criteria: 16 test methods and scoring process disclosed
  • Business credibility: Independent, objective evaluation of web quality
  • Marketing differentiation: Quantifiable advantage over competitors
  • Delivery support: Evidence for meeting client requirements

Scoring Criteria for 16 Individual Tests

Performance (300 points)

Test Method A+ A B C D F
Global Speed 8 regions, new/return visits
TTFB & Load
Performance check
• Origin: TTFB ≤ 200ms, Load ≤ 1.5s
• Global average: TTFB ≤ 800 ms, Load ≤ 2.5s
• All regions: TTFB ≤ 1.5 s, Load ≤ 3s
• Return visit improvement: 80%+
• Origin: TTFB ≤ 400ms, Load ≤ 2.5s
• Global average: TTFB ≤ 1.2 s, Load ≤ 3.5s
• All regions: TTFB ≤ 2 s, Load ≤ 4s
• Return visit improvement: 60%+
• Origin: TTFB ≤ 800ms, Load ≤ 3.5s
• Global average: TTFB ≤ 1.6 s, Load ≤ 4.5s
• All regions: TTFB ≤ 2.5 s, Load ≤ 5.5s
• Return visit improvement: 50%+
• Origin: TTFB ≤ 1.2s, Load ≤ 4.5s
• Global average: TTFB ≤ 2.0 s, Load ≤ 5.5s
• All regions: TTFB ≤ 3.0 s, Load ≤ 6.5s
• Return visit improvement: 37.5%+
• Origin: TTFB ≤ 1.6s, Load ≤ 6.0s
• Global average: TTFB ≤ 2.5 s, Load ≤ 7.0s
• All regions: TTFB ≤ 3.5 s, Load ≤ 8.5s
• Return visit improvement: 25%+
• Below the above criteria
Load Test Virginia region
k6 load test
P95 response time
Stability check
Basic conditions:
100 VUs + 60 s
• Think time: 3–10 s

Performance criteria:
• P95 response time: < 1000 ms
• Error rate: < 0.1%
• Stability: P90 ≤ 200% of average
Basic conditions:
100 VUs + 60 s
• Think time: 3–10 s

Performance criteria:
• P95 response time: < 1200 ms
• Error rate: < 0.5%
• Stability: P90 ≤ 240% of average
Basic conditions:
50+ VUs + 45+ s
• Think time: 3–10 s

Performance criteria:
• P95 response time: < 1500 ms
• Error rate: < 1.0%
• Stability: P90 ≤ 280% of average
Basic conditions:
30+ VUs + 30+ s
• Think time: 3–10 s

Performance criteria:
• P95 response time: < 2000 ms
• Error rate: < 2.0%
• Stability: P90 ≤ 320% of average
Basic conditions:
10+ VUs + 15+ s
• Think time: 3–10 s

Performance criteria:
• P95 response time: < 3000 ms
• Error rate: < 5.0%
• Stability: P90 ≤ 400% of average
• Below the above criteria
Mobile Test iPhone/Galaxy
(Playwright)
Median response time (repeat visit)
JS errors · render width overflow
• Median response time: ≤ 800 ms
• JS runtime errors: 0
• Render width overflow: None
• Median response time: ≤ 1200 ms
• JS runtime errors: ≤ 1
• Render width overflow: None
• Median response time: ≤ 2000 ms
• JS runtime errors: ≤ 2
• Render width overflow: Allowed
• Median response time: ≤ 3000 ms
• JS runtime errors: ≤ 3
• Render width overflow: Frequent
• Median response time: ≤ 4000 ms
• JS runtime errors: ≤ 5
• Render width overflow: Severe
• Below the above criteria

Security (300 points)

Test Method A+ A B C D F
SSL Basics testssl.sh results
Protocols · ciphers · certificate
Vulnerabilities summary
Only latest TLS used, no known vulnerabilities
Strong cipher suites applied
• Certificate and chain fully valid
HSTS and other settings strong
TLS 1.2/1.3 supported; legacy blocked
No major vulnerabilities
• Possible minor weak ciphers or misconfigurations
Generally safe
Mostly secure protocols
Some weak cipher suites present
• Many testssl.sh WEAK warnings
Needs improvement
Some legacy TLS enabled
High use of weak crypto • Certificate near expiry / simple DV
Few vulnerabilities found
SSLv3/TLS 1.0 permitted
Many weak ciphers enabled
• Certificate chain errors/near expiry
Multiple vulnerabilities present
• SSL/TLS configuration fundamental flaws
Vulnerable protocols broadly allowed
• Certificate expired/self‑signed
• Many testssl.sh FAIL/VULNERABLE
SSL Advanced SSLyze deep analysis
Protocols · ciphers · certificate
OCSP · ALPN
Only TLS 1.3/1.2 allowed; no weak ciphers (all PFS)
• Certificate ECDSA or RSA≥3072, complete chain; expiry ≥ 60 days
OCSP Stapling enabled (Must‑Staple when supported)
• ALPN h2 negotiated; compression/insecure renegotiation disabled
TLS 1.3/1.2, strong ciphers first (mostly PFS)
• Certificate RSA≥2048, SHA‑256+, valid chain; expiry ≥ 30 days
OCSP Stapling active (occasional failure allowed)
h2 supported or proper ALPN; risky features disabled
TLS 1.2 required; 1.3 optional/unsupported; some CBC
• Certificate RSA≥2048, chain valid (expiry ≥ 14 days)
• OCSP Stapling disabled (OCSP responses acceptable)
• h2 may be unsupported; risky features mostly disabled
TLS 1.0/1.1 enabled or many weak ciphers (low PFS)
• Chain missing/weak signature (SHA‑1) or expiry imminent (≤ 14 days)
• Stapling absent; revocation status unclear
• h2 unsupported; some risky features enabled
• Obsolete protocols/ciphers (SSLv3/EXPORT/RC4) allowed
• Certificate mismatch/chain errors frequent
• Stapling fails; revocation checks impossible
Compression/insecure renegotiation enabled
• Defects at the level of handshake failures
Expired/self‑signed/hostname mismatch
• Widespread weak protocols/ciphers allowed
• Overall TLS configuration breakdown
Headers Header completeness
Strong CSP (nonce/hash/strict‑dynamic; no unsafe-*)
• XFO: DENY/SAMEORIGIN or limited frame‑ancestors
• X-Content-Type: nosniff
• Referrer-Policy: strict-origin-when-cross-origin or better
• Permissions‑Policy: unneeded features blocked
• HSTS: ≥ 6 months + include subdomains
CSP present (weaker allowed) or non‑CSP 5 items strong
XFO applied (or frame‑ancestors limited)
• X-Content-Type: nosniff
• Referrer‑Policy: recommended value
• Permissions‑Policy: basic restrictions
• HSTS: ≥ 6 months
• CSP none/weak
• XFO applied
• X-Content-Type: nosniff present
• Referrer‑Policy: okay/average
• Permissions‑Policy: partially restricted
• HSTS: short or no subdomains
Some headers present
• CSP none/weak
• Referrer‑Policy weak
• X-Content-Type missing
• HSTS absent or very short
• Only 1–2 key headers present
No CSP
• Referrer weak/absent
Many other headers missing
• Security headers virtually absent
No CSP/XFO/X-Content
No Referrer‑Policy
No HSTS
Vulnerability Scan Passive response analysis
HTTP header/body checks
(excluding CSP warnings)
OWASP ZAP Passive Scan
Main page only (1 URL)
No child crawling
• High/Medium 0
• Security headers complete (HTTPS, HSTS, X‑Frame‑Options, etc.)
No sensitive data exposure (cookies, comments, debug)
• Server/framework version info minimized
• CSP checks performed in a separate item
• High 0, Medium ≤1
• Security headers mostly present, minor gaps
No sensitive data exposure
Minor info exposure (e.g., server type)
• High ≤1, Medium ≤2
• Some headers missing (HSTS, X‑XSS‑Protection, etc.)
• Session cookies missing Secure/HttpOnly
Minor internal identifiers in comments/meta
• High ≥ 2 or Medium ≥ 3
• Key security headers absent
• Sensitive parameters/tokens exposed in response
Weak session management (cookie attributes inadequate)
Multiple Highs
• Authentication/session attributes severely missing
• Debug/dev info exposed (stack traces, internal IPs)
Exposed admin consoles/config files
Widespread High vulnerabilities
No HTTPS or entirely bypassed
• Sensitive data in plaintext/exposed
Lack of security headers and session controls overall
CVE Check Freshness‑based
Nuclei templates
2024–2025
(non‑intrusive, single URL)
• Critical/High 0, Medium 0
2024–2025 CVEs not detected
• No exposed directories/debug/sensitive files
• Security headers/banners minimal
• High ≤1, Medium ≤1
• No direct exposure to recent CVEs (bypass/conditions required)
Minor configuration warnings (informational)
• Patching/configuration good
• High ≤ 2 or Medium ≤ 3
• Some config/banner exposures
• Admin endpoints protected (hard to bypass)
• Patch delays for recent security releases
• High ≥ 3 or many Medium
• Exposed sensitive files/backups/indexing
Outdated components inferred (banners/meta)
• Patching/configuration needs systematic improvement
• Critical ≥ 1 or easily exploitable High
• Recent (2024–2025) CVEs directly impactful
Risky endpoints/files accessible without auth
• Sensitive info exposed (build/logs/env)
Multiple Critical/High present simultaneously
• Latest CVEs widely unpatched/exposed
Lacking basic security configs (defensive headers/access control)
Absent security guardrails overall

Quality (250 points)

Test Method A+ A B C D F
Lighthouse Integrated analysis of Performance + SEO + Accessibility
(Lighthouse)
• Performance: 90 points+
• Accessibility: 90 points+
• Best Practices: 90 points+
• SEO: 90 points+
• Overall average: 95 points+
• Performance: 85 points+
• Accessibility: 85 points+
• Best Practices: 85 points+
• SEO: 85 points+
• Overall average: 90 points+
• Performance: 75 points+
• Accessibility: 75 points+
• Best Practices: 75 points+
• SEO: 75 points+
• Overall average: 80 points+
• Performance: 65 points+
• Accessibility: 65 points+
• Best Practices: 65 points+
• SEO: 65 points+
• Overall average: 70 points+
• Performance: 55 points+
• Accessibility: 55 points+
• Best Practices: 55 points+
• SEO: 55 points+
• Overall average: 60 points+
• Performance: ≤ 54 points
• Accessibility: ≤ 54 points
• Best Practices: ≤ 54 points
• SEO: ≤ 54 points
• Overall average: ≤ 59 points
Accessibility WCAG 2.1 rule‑based
Automated accessibility checks
Evaluated via counts of errors/warnings
(axe‑core)
• critical=0, serious=0
• Total violations ≤ 3
• Keyboard/ARIA/alt text/contrast all good
• critical=0, serious ≤ 3
• Total violations ≤ 8
• Key landmarks/labels mostly good
• critical ≤ 1, serious ≤ 6
• Total violations ≤ 15
• Some contrast/labels need improvement
• critical ≤ 3, serious ≤ 10
• Total violations ≤ 25
• Focus/ARIA structure needs remediation
• critical ≤ 6 or serious ≤ 18
• Total violations ≤ 40
• Many keyboard traps/label omissions
• Exceeds the above (many critical/serious)
Difficult to use with screen readers/keyboard
Compatibility Chrome / Firefox / Safari
Based on JS/CSS errors
(Playwright)
• Chrome / Firefox / Safari all pass
• JS errors: 0
• CSS rendering errors: 0
• Major browser support good
• JS errors ≤ 1
• CSS errors ≤ 1
Minor differences among browsers
• JS errors ≤ 3
• CSS errors ≤ 3
Degraded functionality in some browsers
• JS errors ≤ 6
• CSS errors ≤ 6
Many compatibility issues
• JS errors ≤ 10
• CSS errors ≤ 10
Cannot operate on major browsers
• JS errors > 10
• CSS errors > 10
Responsive UI By key viewport
Overflow pixels (px) measurement
(mobile · foldable · tablet · desktop)
0 overflows across all viewports
• Body render width always within viewport
• Overflows ≤ 1 and each ≤ 8 px
• On narrow mobile (≤390 px): 0 overflows
• Overflows ≤ 2 and each ≤ 16 px
or on narrow mobile: ≤ 8 px (1)
• Overflows ≤ 4 or a single overflow is 17–32px
• Overflows > 4 or a single overflow is 33–64px
• Measurement failed or overflow ≥ 65 px

Content (150 points)

Test Method A+ A B C D F
Links Internal/external/image links
Anchor link status checks
Grade by error rate
(Broken Link Checker)
• Internal/external/image link error rate: 0%
• Redirect chains ≤ 1 hop
• Anchor links 100% valid
• Overall error rate ≤ 1%
• Redirect chains ≤ 2 hops
• Anchor links mostly valid
• Overall error rate ≤ 3%
• Redirect chains ≤ 3 hops
• Some invalid anchor links
• Overall error rate ≤ 5%
• Many link warnings (timeouts/SSL issues)
• Frequent anchor link errors
• Overall error rate ≤ 10%
Redirect loops or long chains
• Many broken image links
• Overall error rate ≥ 10%
• Many broken internal links
• Anchor/image links largely broken
Structured Data JSON‑LD/Schema.org based
Structured data errors/warnings (Google Rich Results Test)
• Schema.org schemas fully implemented
JSON‑LD format used
• Rich snippets 100% recognized
0 errors, no warnings
• Appropriate schema types applied
• Key schemas valid
• Implemented via JSON‑LD
• Rich snippets mostly recognized
No errors, ≤ 2 warnings
• Some core schemas missing
• Rich snippets recognized partially
• ≤ 1 error, ≤ 5 warnings
• Structured data incomplete
• Rich snippets unstable
• ≤ 3 errors, many warnings
• Some types inappropriate
• Structured data inconsistent/duplicated
• Rich snippets not recognized
≥ 4 errors
• Many warnings and wrong types
• Structured data not implemented
No JSON‑LD/Microdata
Pervasive errors
• Search engine rich snippets not possible
Crawl robots/sitemap validation
+ full crawl via sitemap
(internal quality/duplication analysis)
• robots.txt correctly applied
• sitemap.xml present; no missing/404
• All target pages return 2xx
• Site‑wide quality average ≥ 85 points
• Duplicate content ≤ 30%
• robots.txt correctly applied
• sitemap.xml present; consistent
• All target pages return 2xx
• Site‑wide quality average ≥ 85 points
• robots.txt and sitemap.xml present
• All target pages return 2xx
• Site‑wide quality average not required
• robots.txt and sitemap.xml present
• Some targets include 4xx/5xx
• robots.txt and sitemap.xml present
• Can generate target URLs (robots allowed + sitemap collected)
• However, low successful access rate or quality checks not feasible
No robots.txt or no sitemap.xml
Cannot generate crawl target list
Metadata Completeness‑based
(Meta Inspector CLI)
• Title: optimal length (50–60 chars)
• Description: optimal length (120–160 chars)
• Open Graph fully implemented
• Canonical accurate + Twitter Cards complete
• Title/Description within acceptable range
• Open Graph fully implemented
• Canonical correctly set
• Twitter Cards optional
• Title/Description basic and valid
• Open Graph basic tags
• Canonical set
• Some metadata omissions allowed
• Title/Description improper length
• Open Graph incomplete (key tags missing)
• Canonical inaccurate or missing
• Overall metadata quality degraded
• Title/Description severely improper length
• Open Graph insufficient basic tags
• Canonical incorrectly set
Insufficient basic metadata
• Title/Description not provided
• Open Graph absent
• Metadata largely not implemented
No basic SEO configurations

PSQC Overall Score and Grade Criteria

How PSQC Scores Are Calculated
Step 1: Individual test scores (each out of 100)

Every individual test is scored on a 100‑point scale.

(e.g., SSL Basics → 85, Mobile Test → 92, Links → 78)
Step 2: Apply weights by area
Performance = (Global Speed×1.0 + Load Test×1.0 + Mobile Test×1.0) = 300 points
Security = (SSL Basics×0.8 + SSL Advanced×0.6 + Headers×0.6 + Vulnerability Scan×0.6 + CVE Check×0.4) = 300 points
Quality = (Lighthouse×1.2 + Accessibility×0.7 + Compatibility×0.3 + Responsive UI×0.3) = 250 points
Content = (Links×0.5 + Structured Data×0.4 + Crawl×0.4 + Metadata×0.2) = 150 points
Step 3: Final composite score
Total = Performance (300) + Security (300) + Quality (250) + Content (150) = 1000 points

Global Web Standards & References

Web-PSQC is an independent website quality assessment service, built with reference to widely recognized web standards.

ISO/IEC 25010

International standard for software quality models

Functional suitability
Performance efficiency
Security
Compatibility

Web-PSQC mapping: We reference ISO 25010 quality characteristics to organize the Performance, Security, Quality, and Content areas. (Using Web-PSQC’s own evaluation approach)

WCAG 2.1

W3C Web Content Accessibility Guidelines

Perceivable
Operable
Understandable
Robust

Web-PSQC mapping: We reference WCAG 2.1 AA to build the accessibility deep‑dive test and use the axe‑core engine for automated checks.

Core Web Vitals

Google’s page experience metrics

LCP < 2.5 s
INP < 200 ms
CLS < 0.1

Web-PSQC mapping: We reference Core Web Vitals for performance assessments and measure real‑world experience via global region tests.

OWASP Security

Web application security practices

OWASP Top 10
ZAP dynamic scan
CVE database

Web-PSQC mapping: We reference OWASP Top 10 and CVE databases to set vulnerability scan criteria, using OWASP ZAP and the Nuclei engine.

Web-PSQC adapts methods and criteria from international standards to modern web environments. We fully disclose detailed methodologies and measured raw data for each test to ensure transparent, trustworthy results. Clients can use the provided data to define concrete, actionable website improvements.

Global Website Quality Benchmarks

Metric Excellence threshold Global attainment Source Related Web-PSQC test
Lighthouse all categories 90+ Performance, Accessibility,
Best Practices, SEO all 90+		 < 2% HTTP Archive (Lighthouse distribution) Quality/lighthouse
Core Web Vitals pass LCP < 2.5 s, INP/TBT < 200 ms, CLS < 0.1 ≈ 43-44% Chrome UX Report (CrUX) Performance/speed + Quality/lighthouse
SSL Labs A+ grade TLS 1.3, HSTS, hardened configuration ≈ 46% SSL Labs Security/ssl + Security/sslyze
WCAG 2.1 AA compliance
(automated checks)		 0 detected errors ≈ 5%
(94.8% detection rate)		 WebAIM Million Quality/accessibility
No OWASP Top 10 vulns 0 major vulnerabilities ≈ 30-40% OWASP Top 10 Security/scan + Security/nuclei
Schema.org structured data
fully implemented		 Implemented on all pages ≈ 25–35% W3C structured data stats Content/structure
Full browser compatibility Chrome, Firefox, Safari all OK ≈ 60–70% MDN compatibility data Quality/compatibility