My SSL grade is B — is that a problem?

A B grade usually means TLS 1.0 or 1.1 is still enabled, or you are using weak cipher suites. These older protocols have known vulnerabilities (BEAST, POODLE). Most browsers no longer support them anyway, so disabling them has no real-world impact on visitors while improving your security posture.

Web Security

SSL Certificate Grades Explained

What A+, A, B, C, and F actually mean for your website — and what to do if your grade is not where it should be.

What SSL actually does

SSL (technically TLS — Transport Layer Security — since SSL was deprecated in the 1990s) encrypts traffic between your visitors' browsers and your web server. Without it, anyone on the same network can read what your visitors submit — login credentials, contact forms, payment details.

The padlock icon in a browser address bar means a valid certificate is present and the connection is encrypted. But not all SSL configurations are equal. The grade tells you how well it is configured.

The grading scale

A+

Best possible. Valid cert, TLS 1.3, strong ciphers, HSTS enforced, preloading enabled. Everything is right.

Excellent. Valid cert, TLS 1.2/1.3, strong ciphers. May be missing HSTS or preloading to reach A+.

A-

Good, with a minor flag — often a cert chain issue or a slightly weak cipher still in the allowed list.

Adequate but outdated. TLS 1.0/1.1 likely still enabled, or weak ciphers present. Easy to fix on most platforms.

Meaningful weaknesses. Multiple deprecated protocols or ciphers, or a cert trust issue. Needs prompt attention.

Failed. Expired certificate, untrusted CA, handshake errors, or certificate mismatch. Visitors will see browser warnings.

What causes a lower grade

TLS 1.0 or 1.1 enabled

Drops to B at best. These protocols are over 20 years old and have known exploits. Every modern browser has already stopped supporting them — disable them server-side for a free grade improvement.

Weak cipher suites

Ciphers like RC4, 3DES, or export-grade encryption are broken. If your server still offers them, the grade drops. Modern servers configured with secure defaults do not use these.

Missing HSTS

HTTP Strict Transport Security tells browsers to always use HTTPS for your domain, even if someone types http://. Without it, the first request could be unencrypted. Required for A+.

Expired certificate

Instant F. Browsers will display a full-screen warning blocking access to your site. Renew at least 30 days before expiry — most modern hosts auto-renew with Let's Encrypt.

Self-signed certificate

Not trusted by any browser. Visitors see a security warning. Only valid for internal/development use, never for a public-facing site.

How to reach A+

If you use Cloudflare, you can reach A or A+ in minutes:

SSL/TLS → Overview → set to "Full (strict)"
Edge Certificates → set "Minimum TLS Version" to TLS 1.2
Edge Certificates → enable "Always Use HTTPS"
Edge Certificates → enable "HTTP Strict Transport Security (HSTS)"

For self-hosted servers (nginx, Apache), disable TLS 1.0/1.1 in your config, use a modern cipher list (Mozilla's SSL Configuration Generator is the best reference), and add an HSTS header with a max-age of at least 15768000 (6 months).

Frequently asked questions

How do I get an A+ SSL grade?

Valid cert, TLS 1.2 and 1.3 only (1.0 and 1.1 disabled), strong ciphers, HSTS with max-age ≥ 6 months, and HSTS preload. Cloudflare makes this nearly automatic.

Does SSL affect Google rankings?

Yes. HTTPS has been a Google ranking signal since 2014. Sites on HTTP are flagged "Not Secure" in Chrome, which hurts bounce rates. An expired cert can block visitors entirely.

My grade is B — is that urgent?

Not critical, but worth fixing. A B usually means old TLS versions are still enabled. Disabling TLS 1.0/1.1 has no impact on modern visitors and is a one-line config change on most platforms.

Check your SSL grade now

CQwerty Shield shows your SSL grade alongside DMARC, SPF, DNS and breach exposure in one free report.

Scan my domain — free →