Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
BigCommerce stores
BigCommerce stores have a strong default TLS posture and PCI scope is largely managed by the platform — but the public hardening of your custom domain depends on apps you install, themes you customize, and how your transactional email DNS is configured. Score visibility helps you see what shoppers' browsers actually receive.
Paste the storefront URL customers actually load — your custom domain or store hash. Scorifya checks what unauthenticated browsers can see: HTTPS posture and redirects, security headers, passive SPF/DMARC/MX context for transactional mail, cookie-related hints when responses carry Set-Cookie, and hygiene signals. It does not log into BigCommerce admin or read your orders.
This page is written for people searching for BigCommerce security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — store on a custom domain after a theme update
TLS and core BigCommerce headers look consistent. Theme customizations and email DNS leave the most room for improvement.
Content-Security-Policy not set
Theme customizations and apps inject scripts; without CSP, browsers rely on defaults and XSS blast radius stays higher than it needs to be.
DMARC missing for transactional sender
Order confirmations and shipping notifications go out under your domain. Publish SPF/DKIM and a starter DMARC to protect your brand.
Permissions-Policy missing
A short Permissions-Policy denying camera/microphone/geolocation tightens the contract for product video embeds and partner widgets.
Example B — hardened storefront on Cloudflare with full email DNS
Edge and email both look mature. Remaining items are typically server banner hygiene and small CSP refinements.
Weak CSP — wildcard sources
Tighten script-src and connect-src once you've enumerated every analytics, chat, and payment widget actually in use.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but show up during hygiene passes.
Force HTTPS consistently across apex and www
Confirm both hosts redirect cleanly to your canonical storefront URL. BigCommerce manages certs, but the redirect chain is still where points are lost.
Add HSTS at a fronting CDN if you have one
If your store is fronted by Cloudflare or similar, set HSTS there with a deliberate max-age. Don't enable preload until every subdomain is HTTPS-ready.
Roll out CSP in stages
Start with Content-Security-Policy-Report-Only at your CDN, watch reports, then enforce. BigCommerce-managed scripts plus your installed apps will surface a long allowlist.
Publish SPF, DKIM, and DMARC for transactional mail
Order confirmations are critical mail. Get the auth records in place and progress DMARC past p=none once aggregate reports look clean.
Re-scan after each app install or theme change
Apps inject scripts and DOM. Theme updates change inline content. Each shift can move your score — re-scan to catch regressions.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access admin, orders, or customer data.
Platform PCI scope covers payment handling. Your custom domain's headers, redirects, and email DNS sit outside that scope and still affect what shoppers' browsers experience.
No. This is a configuration and public-signal scorecard, not malware detection. Use BigCommerce's app marketplace reviews and your own content review for that.
checkout.example.com and example.com are separate hostnames with their own headers. If you use a custom checkout domain, scan it separately.
No. We do not attempt exploitation or authenticated crawling. The score reflects publicly visible TLS, headers, DNS/email signals, and hygiene.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.