Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Ghost publications
Ghost is a Node app you typically front with nginx, a Caddy proxy, or Cloudflare — and that's where most security headers actually need to live. Self-hosted Ghost installs commonly skip HSTS, CSP, and Referrer-Policy because the default nginx config Ghost-CLI generates focuses on routing, not hardening.
Paste the URL readers actually load — your apex or a custom subdomain like blog.example.com. Scorifya checks what unauthenticated browsers can see: HTTPS posture and redirects, security headers, passive SPF/DMARC/MX context for newsletter sends, cookie-related hints when responses carry Set-Cookie, and hygiene signals. It does not log into Ghost Admin or read your members table.
This page is written for people searching for Ghost CMS security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — self-hosted Ghost behind default nginx
HTTPS works, but Ghost-CLI's default nginx block doesn't add browser headers. Most fixes are one nginx reload away.
Strict-Transport-Security missing
Self-hosted Ghost rarely sets HSTS at the nginx layer by default. Add it once and HTTP downgrade goes away after first visit.
Content-Security-Policy absent
Members and Stripe checkout flows make CSP rollout slightly more involved, but report-only mode catches the integrations cleanly.
Referrer-Policy not set
Browsers may include the full URL in outbound referers; Newsletter UTM links and shared post URLs leak more context than needed.
Example B — Ghost(Pro) or Ghost behind Cloudflare
TLS and the headers your CDN ships look consistent. Email DNS for the newsletter sender is where most points still drop.
DMARC policy not at enforcement
Newsletter mail goes out under your domain; staying on p=none means spoofed mail using your brand still reaches inboxes.
Permissions-Policy missing
A short Permissions-Policy denying camera/microphone/geolocation tightens the contract for embeds in posts.
Add the security header baseline at nginx (or Cloudflare)
If you self-host, drop HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy into the same nginx server block Ghost-CLI generates. See /guides/nginx-csp for a copy-paste pattern.
Plan CSP around members and Stripe
Ghost's portal and checkout call into stripe.com and your portal subdomain. Run CSP in report-only first so you catch every domain that needs an entry in script-src and connect-src.
Configure SPF, DKIM, and DMARC for your sending domain
Ghost newsletters typically send via Mailgun. Publish SPF/DKIM for the configured sender and a DMARC record that progresses past p=none.
Front Ghost with Cloudflare for managed headers
If you don't want to maintain nginx config, putting Ghost behind Cloudflare lets you set the entire header baseline through the Cloudflare dashboard and rules.
Re-scan after each deploy or DNS change
Ghost upgrades, theme changes, and Mailgun config swaps all shift what we observe. A fresh paste of the same URL catches regressions early.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access /ghost, members APIs, or your content database.
Ghost(Pro) handles the platform headers; the variables you control are your custom domain config, your DMARC/SPF for the newsletter sender, and any Cloudflare layer you put in front. Scorifya scores all of that.
No. This is a configuration and public-signal scorecard, not malware detection. For theme integrity, use git-based deploys and review changes before publishing.
members.example.com and example.com are separate hostnames with their own certs and headers. Scan both if you want full coverage.
No. We do not attempt exploitation or authenticated crawling. The score reflects publicly visible TLS, headers, DNS/email signals, and hygiene.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.