Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Security headers checker
Teams ship features faster than documentation—security headers often lag releases, leaving XSS and clickjacking mitigations unfinished even when TLS certificates look healthy.
Paste any URL you control publicly. Scorifya captures response headers alongside TLS behavior and passive DNS/email context, then translates gaps into prioritized fixes—not raw dumps alone.
This page is written for people searching for check website security headers—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — TLS solid, CSP absent
Strict transport controls exist while browser policy headers still leave meaningful exposure—common mid-maturity posture.
Content-Security-Policy missing
Without CSP, browsers rely on defaults—dangerous when third-party scripts load broadly across marketing pages.
Technical snapshot highlights positives
HSTS and framing headers might already exist—Scorifya still surfaces CSP gaps affecting the Security headers bucket.
Example B — mature header bundle
Policies align with deployed assets while TLS stays pinned—remaining deductions encourage CSP tightening over time.
HSTS lacks preload readiness
Policy exists but preload eligibility tests fail—often intentional until every subdomain proves HTTPS-only.
CSP allows wider script hosts than ideal
Functional allowances linger after vendor consolidation—iterate once telemetry confirms unused origins.
Inventory live headers before editing CDN rules
Know exactly what origins emit today—duplicate unintended strips happen when multiple layers rewrite responses.
Stage CSP with report-only telemetry
Collect violations from real traffic before enforcing stricter script-src or frame-ancestors directives.
Pair framing protections with embed strategy
Marketing iframes may require explicit frame-ancestors allowlists rather than blanket DENY constants.
Extend HSTS deliberately
Grow max-age once redirect coverage is proven; includeSubDomains only when child hosts truly terminate TLS.
Validate fixes via rescans
Headers frequently regress during releases—bookmark Scorifya after each deployment.
For weights and penalties behind each category, see How Scorifya works.
Yes alongside explanations—each finding ties headers to scoring penalties so engineers know exactly what changed.
No. Scorifya evaluates the pasted URL only—normalize headers upstream if subroutes diverge unintentionally.
DevTools remains useful interactively; Scorifya adds TLS/DNS/email context and weighted scoring for prioritization.
We evaluate deployed Content-Security-Policy headers—not violation beacon volumes—because ingestion pipelines vary per site.
Order rarely affects validity; correctness of directives and consistent deployment across edges matters far more.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.