Smarter hardening checks: fix what matters first

Why we changed the experience

Teams told us they wanted two things from a quick scan: clarity on what hurts the score the most, and less guesswork when fixing headers and TLS hygiene. Scorifya has always been explicit that we score observable public configuration—we do not run penetration tests, authenticated crawls, or vulnerability exploits. Within that scope, we can still make results easier to act on.

The latest update keeps the same 0–100 model and published methodology. What is new is how findings are ordered and labeled, and how we surface optional stack-specific examples where they help most.

Fix-first ordering and clearer labels

Findings are now sorted server-side so the list reads in a consistent priority order: critical signals first, then warnings, then informational items. Within each tier, larger category penalties appear before smaller ones, so you see the biggest score drivers without hunting.

Badges use plain-language tiers—Critical, High, and Medium—while the underlying API still exposes the original severity values for anyone integrating with exports or tooling.

A short note on the scan results reminds you that the list is intentionally ordered with critical issues first.

Copy-ready examples where they matter

For high-traffic configuration gaps such as missing HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and HTTP-to-HTTPS redirects, we added optional “Example configs” you can expand per finding. Each includes short patterns for common stacks—for example nginx, Express with Helmet, and Apache—because those are the layers teams most often control.

Headers are frequently set at a CDN or load balancer instead of the app server, so every block includes a reminder that your edge may be the right place to apply the change. Use the copy buttons to grab one snippet or the whole set, then adapt hostnames and policies to your environment.

Exports and Pro

JSON exports automatically include the new fields. CSV mentions which code examples exist and points you to JSON for full bodies; PDF includes a truncated first example so reports stay readable.

Unlimited scans and exports remain part of Scorifya Pro; the public scanner stays free for on-demand checks within published limits.

What has not changed

We still block private targets and unsafe host patterns, rate-limit scans, and document weights and penalties on the methodology page. If you need a formal security assessment or compliance sign-off, you should engage qualified professionals—Scorifya remains a fast sanity check for public hardening posture.