Email2026-07-01·6 min read

What does an SSL Labs grade mean?

An SSL Labs grade scores how well your site’s HTTPS is set up, A+ to F. An A is the target, and a low grade is almost always a host-side fix.

An SSL Labs grade rates one thing — how well your site’s HTTPS is configured — and a small business should read it like this:

  • A or A+ is the target — an A means a valid certificate, no obsolete protocols, and current ciphers; the “+” simply adds HSTS, a refinement rather than a fix.
  • A B means an easy host-side fix — it almost always traces to old TLS 1.0/1.1 still switched on or a weak cipher your host or CDN can disable in minutes.
  • An F means a certificate problem — usually expired, mismatched to the domain, or from an untrusted authority, and visitors are seeing browser warnings right now.
  • The grade is HTTPS only — it never checks your security headers, email authentication, or DNS, so an A+ is one green light among several.

The takeaway: chase an A as the floor, fix an F today, and don’t mistake a high grade for a whole-of-business all-clear.

An SSL Labs grade scores how well your site's HTTPS is configured, from A+ down to F. For a small business an A or A+ is the target, and a lower grade almost always traces to an old protocol, a weak cipher, or a certificate problem your host can fix — not to anything wrong with your site's content or your business.

The grade comes from the Qualys SSL Labs server test, a free tool that connects to your site the way a browser does, inspects the encryption setup, and hands back a single letter. It is the most-cited HTTPS report on the web, which is exactly why it is worth understanding what the letter does and does not mean before you read too much into it.

What the grade is actually measuring

The grade is a summary of 4 things, scored and then combined into one letter. None of them are about your content, your code, or whether your business is "secure" in the broad sense — they are all about the encrypted connection between a visitor's browser and your server.

The certificate. Is it valid, unexpired, issued by a trusted authority, and does it match the domain name people type? A certificate that fails here doesn't lower the grade — it caps it at the bottom.

Protocol support. Which versions of the encryption protocol your server will speak. Modern TLS 1.2 and 1.3 are fine. The old TLS 1.0 and 1.1 versions — long deprecated — drag the grade down even if everything else is perfect, because supporting them keeps a weak door open. (If the words "SSL" and "TLS" are used interchangeably around you, the distinction is worth 30 seconds: see SSL vs TLS.)

Cipher strength. The specific encryption algorithms your server is willing to use, and in what order it prefers them. Strong, current ciphers score well; weak or outdated ones — the kind kept around for ancient browsers nobody runs anymore — pull the score down.

Configuration extras. The details that separate a good setup from an excellent one. The big one is HSTS (HTTP Strict Transport Security), a header that tells browsers to only ever connect over HTTPS. Get HSTS right and you earn the + that turns an A into an A+.

For the one-paragraph version of how those four roll into a letter, see what an SSL Labs grade is.

What pulls a grade down

If your site scores a B instead of an A, the report will tell you why in plain terms once you know where to look. In practice, almost every grade below A traces to one of three causes.

Old protocols still switched on. This is the single most common reason a tidy-looking site lands a B. TLS 1.0 and 1.1 are obsolete, and the major browsers stopped trusting them years ago — but plenty of servers still have them enabled by default. SSL Labs caps the grade at B the moment it sees them. The fix is a host or CDN setting, not a rebuild.

Weak ciphers in the list. A server that still offers a worn-out cipher suite for the sake of some long-gone browser gets marked down. You almost never need those old ciphers anymore; turning them off costs nothing and usually lifts a B straight to an A.

A certificate problem. This is the one that produces an F — and it's the one your visitors actually feel, because the browser shows them a warning before the grade ever enters the picture. An expired certificate, a certificate issued for example.com serving www.example.com, or one from an authority browsers don't trust will all fail the test outright. If your grade is an F, check the certificate first; it's almost always that, and it's almost always a renewal or a misconfigured domain name. (This is also what's behind a browser "not secure" warning — the two problems share a root cause.)

Is an A good enough?

Yes. For a small business, an A is a genuinely good result, and there is no security reason to lose sleep over the missing +. An A means your certificate is valid, you've dropped the old protocols, and your ciphers are current — which is the whole job. Visitors get a clean padlock, browsers are happy, and nobody is intercepting the connection.

The difference between A and A+ is HSTS. The A+ tells browsers to refuse to connect to your site over plain HTTP at all, even if someone types http:// or follows an old link — it closes a narrow window where a connection could be downgraded before the redirect to HTTPS happens. That's a real improvement, and worth doing, but it's a refinement on an already-good setup rather than a fix for a broken one. Aim for A as the floor and A+ as the finish; treat anything below A as a to-do item, not an emergency, unless it's an F — an F means visitors are seeing warnings right now.

One caveat worth naming: HSTS, once enabled with a long duration and submitted for preload, is sticky and hard to undo cleanly. It's the right move for an established site you intend to keep on HTTPS forever — which is every business site — but enable it deliberately, not by accident.

How to fix a low grade

Here's the part that surprises most owners: you almost certainly don't fix this yourself, and you almost certainly don't pay anyone. A low SSL Labs grade lives in your server, host, or CDN configuration, and on a managed platform it's usually a toggle.

On managed hosting (Shopify, Squarespace, WordPress.com, most website builders) the HTTPS configuration is handled for you and typically already scores A or better — if it doesn't, it's a support ticket, not a project. If you're behind a CDN like Cloudflare, the grade reflects the CDN's settings, and dropping old TLS versions or fixing a cipher list is a setting in its dashboard. On your own server (a VPS, a self-managed box), it's a config change to your web server — the kind of thing a competent host or developer does in 10 minutes.

So the practical sequence is short. Run the SSL Labs test, note the specific reason it gives for the grade, and take that exact reason to whoever runs your hosting: "SSL Labs says we still allow TLS 1.0 — can you disable it?" is a request any host can action same-day. Re-run the test afterward to confirm. The grade updates immediately; you don't wait on anything.

What the grade doesn't tell you

This is the part the single letter hides. An SSL Labs grade is a report on your HTTPS configuration and nothing else. An A+ means the encrypted connection is set up correctly. It says nothing about the rest of your security posture, and treating it as a clean bill of health is a mistake.

It doesn't look at your security response headers — the browser-level protections that sit alongside HTTPS, which a tool like Mozilla Observatory grades instead. It doesn't check your email authentication (SPF, DKIM, DMARC), the records that stop someone spoofing your domain in scam emails. It doesn't check your DNS configuration, your CAA records, or whether your domain is locked against transfer. A site can score A+ on SSL Labs and still be wide open to email spoofing, because those are entirely separate systems that the test never touches.

That's not a knock on SSL Labs — it's a focused tool doing one job well. It just means an A+ is one green light among several, not the whole dashboard. To see HTTPS, headers, email, and DNS scored together against the Australian small business baseline, run your domain through our scan — and for the wider picture of which free tools cover which gap, start with our guide to free website security scanners.

#email#australian-business#small-business