Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Public hardening check
Free 0–100 hardening score across TLS, headers, DNS, and hygiene. No signup, no card, no install.
Five weighted base categories — plus a WordPress pack that activates only when we detect WordPress — scored independently and rolled up into the single 0–100 number.
Certificate validity and expiry horizon, weak public-key sizes, cipher quality, TLS 1.0/1.1 acceptance, and HTTP→HTTPS redirect coverage.
HSTS (plus live preload-list verification), fine-grained CSP grading (unsafe-inline, unsafe-eval, wildcards, object-src, report-only), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and third-party script SRI coverage.
security.txt (RFC 9116), robots.txt analysis, verbose server banners, directory listings, sensitive path probes, origin-IP exposure behind CDN/WAF, and a passive tech-stack fingerprint.
Secure / HttpOnly / SameSite on session-like cookies when visible in response headers.
SPF, DMARC (with parent-domain heuristic), common DKIM selectors, MX, CAA, MTA-STS, TLS-RPT, BIMI, DNSSEC validation, Certificate Transparency log discovery, and subdomain-takeover detection — no port scan.
Installer and setup-config endpoint exposure, REST user enumeration (/wp-json/wp/v2/users), XML-RPC, and readme.html version disclosure.
Full methodology: How Scorifya works — published category weights, per-finding penalties, and the boundaries of a public scan.
Jump straight to the most common security questions people Google, with the same scan tool embedded.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Same scanner on every page—these routes help you ship fixes and interpret results.