Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Framer sites
Framer ships a strong default for hosting and TLS — but the public posture of your site still depends on which custom domain you connect, what code components you embed, and how your sender domain is configured for email. Score visibility helps you see what visitors' browsers actually receive instead of what your editor preview suggests.
Paste the URL you publish to — usually your apex domain or a www host. Scorifya checks what unauthenticated browsers can see: HTTPS posture and redirects, security headers, passive SPF/DMARC/MX context for your domain, cookie-related hints when responses carry Set-Cookie, and hygiene signals. It does not log into your Framer workspace or read your designs.
This page is written for people searching for Framer security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — fresh Framer site on a connected domain
TLS and most browser headers look good out of the box. Email DNS plus a couple of optional headers leave points on the table.
DMARC missing
Even if you don't actively send transactional mail from your apex, publishing SPF + a starter DMARC blocks impersonation attempts.
Content-Security-Policy not set
Framer-hosted sites typically don't ship CSP. If you embed code components or third-party scripts, CSP is the highest-leverage header to add.
Permissions-Policy missing
Explicit denies for camera/microphone/geolocation are a short, low-risk header to add at any fronting CDN.
Example B — Framer site behind Cloudflare with custom headers
Headers and TLS line up consistently across hosts. The remaining gaps are typical email-DNS maturity items.
DMARC policy not at enforcement
Reports are flowing, but moving past p=none is what stops spoofed mail from reaching inboxes.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but show up during hygiene passes.
Connect your custom domain on apex and www
Make sure both hosts redirect cleanly to one canonical version with HTTPS. Framer handles certs; the redirect logic and host coverage are still on you.
Front Framer with Cloudflare to add headers
If you want HSTS, CSP, and Permissions-Policy that Framer doesn't ship by default, putting your domain on Cloudflare gives you one place to set them. See /guides/cloudflare-security-headers.
Publish SPF and DMARC for your apex
Even brochure sites benefit from email-auth records — they prevent your brand from being used in phishing campaigns.
Audit code components for inline scripts
Framer code components can inject inline JS. If you ever add CSP at a fronting CDN, you'll need nonces or external script files.
Re-scan after publishing changes
Each publish, domain switch, or DNS edit shifts what we observe. A fresh paste of the same URL catches regressions early.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya only requests the URL you paste and follows redirects. It cannot access your Framer projects, drafts, or team data.
Framer handles certs and platform patches. The score reflects what visitors' browsers see end-to-end: redirects, headers, DNS, and email signals — most of which depend on your domain config, not Framer's hosting.
No. This is a configuration and public-signal scorecard, not source-code analysis. Use code review and dependency scanning for component audits.
Preview URLs and your published custom domain can have different headers and redirect chains. Always scan the live URL visitors actually load.
No. We do not attempt exploitation or authenticated crawling. The score reflects publicly visible TLS, headers, DNS/email signals, and hygiene.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.