Skip to content
Store Health Store Health Docs

How the script score is calculated

The script score measures the quality and safety of every third-party script loaded by your storefront — including scripts injected via app embeds, ScriptTags, and theme includes. It covers three dimensions: security, performance, and best practices.

Overall formula

Script Score = (Security × 50%) + (Performance × 30%) + (Best Practices × 20%)

Each sub-score runs from 0 to 100 and is based on the ratio of flagged scripts to total scripts detected.

Security score (50%)

Checks each script for patterns that indicate a risk to customer data or storefront integrity:

  • Scripts loaded from unknown or suspicious domains
  • Inline scripts with eval(), document.write(), or obfuscated code
  • Scripts that set or read sensitive cookies without consent signals
  • Missing integrity attributes on third-party includes (subresource integrity)

A clean store with no suspicious scripts scores 100 in security.

Performance score (30%)

Checks how scripts affect page load speed:

  • Render-blocking scripts in <head> without async or defer
  • Duplicate script includes (the same URL loaded more than once)
  • Large payload — total script weight above thresholds
  • Excessive number of distinct third-party origins (each origin = extra DNS lookup + TCP connection)

Best practices score (20%)

Checks whether scripts follow Shopify and web development conventions:

  • ScriptTags left over from uninstalled apps
  • Scripts that are loaded but produce no network activity (likely orphaned)
  • Missing resource hints (dns-prefetch, preconnect) for heavy third-party scripts
  • Scripts that conflict with Shopify’s own performance infrastructure

Weight in the overall health score

The script score contributes 10% of the total store health score.

How to improve your score

  1. Open the Installed Scripts section of your scan results.
  2. Use the Security and Performance tabs to see which scripts are flagged.
  3. Remove scripts from apps you no longer use — these are often the biggest culprit.
  4. For scripts you need, ask your app developer whether an async/defer version is available.
  5. Use the Remove action on orphaned ScriptTags directly from the scan results.