Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Duda sites
Agencies running dozens of client sites on Duda need a fast way to confirm public-facing posture across every domain. The platform handles HTTPS and patches; the variables that move the score are the custom domain config, third-party widgets clients install, and how the email DNS is set up for each domain.
Paste any Duda-hosted client site URL. Scorifya checks what unauthenticated browsers can see: HTTPS posture and redirects, security headers, passive SPF/DMARC/MX context, cookie-related hints when responses carry Set-Cookie, and hygiene signals. It does not log into Duda's editor or read your client list.
This page is written for people searching for Duda security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — typical SMB client site post-launch
TLS and platform-managed headers look fine; the gaps are a missing CSP and incomplete email DNS for the client's domain.
Content-Security-Policy not set
Widgets and embeds added through the editor inject scripts; without CSP, browsers rely on defaults.
DMARC missing
Even local SMBs benefit from publishing SPF + a starter DMARC — it stops their domain from being used in phishing attempts.
Permissions-Policy missing
A short header denying unused features (camera, microphone, geolocation) is low-risk and improves the score.
Example B — agency-managed client behind Cloudflare
Headers and DNS both look mature. Remaining items are typically banner hygiene and small CSP refinements.
DMARC policy not at enforcement
Reports are flowing for the client's sender. Once aggregate reports stabilize, move policy to p=quarantine then p=reject.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but tend to surface during hygiene passes.
Standardize HTTPS redirect chains across the client portfolio
Make sure each client's apex and www redirect cleanly to one canonical version with HTTPS. Build a checklist into your launch runbook.
Front client domains with Cloudflare for managed headers
Putting client domains on Cloudflare gives the agency one place to set HSTS, CSP, and Permissions-Policy across the entire portfolio.
Make SPF + DMARC part of every launch
Even for clients who don't think they send mail, publishing SPF + a starter DMARC blocks impersonation. Add it to your DNS-handover template.
Audit client widget choices before publish
Live chat, scheduling, and form widgets all inject scripts. If you ship a CSP, plan the allowlist around the widgets actually in use.
Re-scan across the portfolio quarterly
Each client edit, plugin install, or DNS change can move the score. A quarterly portfolio scan catches drift before clients ask.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access your editor, client list, or workspace.
This page is for ad-hoc URL pastes. For portfolio coverage, sign up and use the Pro watchlist + scheduled re-scans to track multiple sites in one place.
No. This is a configuration and public-signal scorecard, not malware or compromise detection. Use Duda's content review tools and your own change management for that.
Each client has their own custom domain, DNS, and possibly different fronting CDNs. The template is the same; the public posture differs.
No. We do not attempt exploitation or authenticated crawling. The score reflects publicly visible TLS, headers, DNS/email signals, and hygiene.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.