We agree that some of the "values" might seem a bit out of place`, we discussed them with multiple security professionals and tried to come up with the best with the different opinions we were given. Please please please submit an issue on the github. Far too many ratings work as blackboxes which is why we decided to "open" our formula. The link for the github is https://github.com/binaryedge/ratemyip-openframework
> Web: The lack of at least one security header represents an extreme level of exposure
Don't really get that one either. So any site not using HSTS, CSP, or Key Pinning, for example, is automatically at extreme risk?