Stack guides

Hardening guides by stack

Concrete, copy-paste recipes that fix the headers, TLS, and DNS findings Scorifya flags, organized by the platform you actually deploy on. Each guide is built around the same finding ids the scanner uses, so re-running the scan after deploy confirms the fix worked.

Run the scanner from the homepage; category weights and penalties live on how scoring works.

Cloudflare security headers checklist (2026 edition)
Set HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy at the Cloudflare edge — with copy-paste Transform Rules and Workers snippets.
Open guide →
Vercel security headers — vercel.json patterns that pass Scorifya
Set HSTS, CSP, X-Frame-Options, and Referrer-Policy from vercel.json so they ship with every preview and production deploy.
Open guide →
Next.js HSTS configuration — Strict-Transport-Security in App Router
Add Strict-Transport-Security correctly in a Next.js App Router app: where to set it, when to enable preload, and how to verify with curl + Scorifya.
Open guide →
Apache security headers — .htaccess and httpd.conf patterns that pass Scorifya
Set HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy in Apache via mod_headers — copy-paste blocks for .htaccess and main config.
Open guide →
Express.js HSTS — adding Strict-Transport-Security to a Node app
Set HSTS correctly in Express via Helmet or a one-line custom middleware — and decide whether to do it in Node at all when you have a CDN.
Open guide →
Express.js Content-Security-Policy — a CSP that doesn't break your app
Add CSP to Express via Helmet's contentSecurityPolicy middleware: report-only first, per-request nonces for inline scripts, and how to flip to enforced safely.
Open guide →
Django security headers — settings.py and django-csp essentials
Set HSTS, CSP, X-Frame-Options, Referrer-Policy, and content-type-nosniff in Django using SECURE_* settings plus the django-csp middleware.
Open guide →
Rails secure_headers — the gem that handles every header Scorifya scans
Use Twitter's secure_headers gem to set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy with one initializer — plus per-controller overrides.
Open guide →
CloudFront response headers policy — security headers without Lambda@Edge
Use AWS CloudFront's response headers policy to set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy at the edge — Terraform and console snippets included.
Open guide →
IIS security headers — web.config patterns and removing X-Powered-By
Set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy in IIS via web.config, plus how to remove the X-Powered-By and Server headers cleanly.
Open guide →
nginx CSP recipe — a starter Content-Security-Policy that doesn't break your app
A copy-paste nginx CSP that starts in report-only mode, captures violations, and converts cleanly into enforced policy.
Open guide →

Stack guides

Hardening guides by stack

Run the scanner from the homepage; category weights and penalties live on how scoring works.

Cloudflare security headers checklist (2026 edition)
Set HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy at the Cloudflare edge — with copy-paste Transform Rules and Workers snippets.
Open guide →
Vercel security headers — vercel.json patterns that pass Scorifya
Set HSTS, CSP, X-Frame-Options, and Referrer-Policy from vercel.json so they ship with every preview and production deploy.
Open guide →
Next.js HSTS configuration — Strict-Transport-Security in App Router
Add Strict-Transport-Security correctly in a Next.js App Router app: where to set it, when to enable preload, and how to verify with curl + Scorifya.
Open guide →
Apache security headers — .htaccess and httpd.conf patterns that pass Scorifya
Set HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy in Apache via mod_headers — copy-paste blocks for .htaccess and main config.
Open guide →
Express.js HSTS — adding Strict-Transport-Security to a Node app
Set HSTS correctly in Express via Helmet or a one-line custom middleware — and decide whether to do it in Node at all when you have a CDN.
Open guide →
Express.js Content-Security-Policy — a CSP that doesn't break your app
Add CSP to Express via Helmet's contentSecurityPolicy middleware: report-only first, per-request nonces for inline scripts, and how to flip to enforced safely.
Open guide →
Django security headers — settings.py and django-csp essentials
Set HSTS, CSP, X-Frame-Options, Referrer-Policy, and content-type-nosniff in Django using SECURE_* settings plus the django-csp middleware.
Open guide →
Rails secure_headers — the gem that handles every header Scorifya scans
Use Twitter's secure_headers gem to set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy with one initializer — plus per-controller overrides.
Open guide →
CloudFront response headers policy — security headers without Lambda@Edge
Use AWS CloudFront's response headers policy to set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy at the edge — Terraform and console snippets included.
Open guide →
IIS security headers — web.config patterns and removing X-Powered-By
Set HSTS, CSP, X-Frame-Options, Referrer-Policy, and Permissions-Policy in IIS via web.config, plus how to remove the X-Powered-By and Server headers cleanly.
Open guide →
nginx CSP recipe — a starter Content-Security-Policy that doesn't break your app
A copy-paste nginx CSP that starts in report-only mode, captures violations, and converts cleanly into enforced policy.
Open guide →