What does a Mozilla Observatory grade mean?

A Mozilla Observatory grade (A+ down to F) scores the defensive HTTP headers and related settings your website sends with every response:

Content-Security-Policy — controls what the page is allowed to load
HSTS — tells browsers to never try plain HTTP
cookie flags — whether your cookies are marked Secure and HttpOnly
cross-origin policies — what other sites may embed or request from yours
redirect behaviour — whether HTTP traffic lands safely on HTTPS

It does not test your code or your server for vulnerabilities; it tests whether the browser-level guard rails are switched on. Most small business sites land at D or F, because almost no hosting platform or website builder sets these headers by default. Four in five Australian small business websites have no Content-Security-Policy header — the single largest contributor to the typical SMB Security score landing in the E/F band.^* A failing grade means missing hardening, not an active compromise.