Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Website security score
Search traffic lands on this question because owners want reassurance—not another jargon-heavy dashboard—yet TLS missteps and missing headers quietly undermine trust without obvious breakage.
Paste your live URL for an immediate breadth-first scorecard: HTTPS behavior, security headers, exposure and hygiene cues, cookie attributes when visible, passive SPF/DMARC/MX context, and infrastructure hints—explained so non-specialists know what to fix next.
This page is written for people searching for is my website secure—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — HTTPS works but upgrade paths are messy
Visitors may reach HTTPS eventually while scanners still observe downgrade-friendly patterns—classic Fair-band posture.
HTTP→HTTPS redirects inconsistent
Port 80 answered without forcing HTTPS everywhere—mixed entrypoints confuse caches and invite downgrade attempts.
Strict-Transport-Security missing
Until HSTS ships with sensible max-age, browsers cannot cache an HTTPS-only mandate for returning visitors.
Example B — disciplined defaults
Redirects, TLS, headers, and hygiene reinforce each other—remaining notes are informational polish.
Verbose Server banner
Minor hygiene deduction encouraging quieter defaults alongside CDN-managed responses.
Answer TLS questions before debating widgets
Certificates and redirects must be airtight—everything else stacks on top of predictable HTTPS.
Explain findings to stakeholders
Each penalty ties to plain-language risk notes—share screenshots during sprint planning.
Treat headers as ongoing hygiene
CSP and framing protections evolve with new scripts—schedule quarterly reruns after roadmap shifts.
Publish DMARC while mail volume grows
Even modest newsletters benefit from staged DMARC alongside SPF alignment.
Combine Scorifya with deeper reviews when warranted
Great scores reduce noisy risks yet never replace targeted audits for regulated workloads.
For weights and penalties behind each category, see How Scorifya works.
No—it means publicly visible TLS, headers, DNS/email hints, and hygiene look strong. Application bugs and insider threats still require other controls.
Browsers cache outcomes differently first visit versus repeat visits; Scorifya also checks redirects, legacy TLS acceptance, and header posture—not only certificate validity.
You may paste any public HTTPS URL you control, but authenticated checkout flows requiring customer sessions remain partially opaque.
No. We evaluate the pasted URL’s response chain plus passive DNS lookups documented on How Scorifya works—not multi-page crawling.
Once caches and DNS TTLs refresh, rescans typically show updates immediately—sometimes sooner via CDN purge workflows.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.