Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
nginx & reverse proxies
Many teams terminate TLS or inject headers in nginx—but config drifts across server blocks, cached includes, and upstream CDNs. Without a live check, it is easy to think HSTS or CSP ships while visitors still see an older edge response.
Paste the public URL your users load (the hostname nginx or your front proxy answers for). Scorifya fetches what browsers receive: TLS and redirect behavior, security headers on the final response, passive DNS/email signals for that hostname, cookie hints when present, and hygiene. It reflects live edge output—use it after editing header directives, upstream proxy routes, SSL listeners, or when a CDN sits in front.
This page is written for people searching for nginx security headers check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — TLS OK, headers weaker than expected
Certificates validate while CSP or framing never appeared on the HTML response nginx serves—often headers omitted on the active server block.
Content-Security-Policy absent
No CSP header on the fetched response—confirm whether policy should originate from nginx, an upstream app, or a CDN layer.
Anti-framing not detected
Neither CSP frame-ancestors nor a framing header appeared—common miss when only static assets had legacy snippets.
Example B — headers aligned after nginx pass
HSTS and baseline protections show up consistently; remaining work is tightening CSP allowances or finishing mail DNS.
CSP still permissive on script-src
Policy exists—iterate as you retire unused third-party origins.
DMARC monitoring-only
Mail DNS progresses toward enforcement—Scorifya notes when receivers still see policy “none”.
Confirm which layer emits headers
If nginx proxies to an app or CDN, duplicates or overrides happen—pick one authoritative layer for CSP and HSTS unless you intentionally split duties.
Remember the “always” flag for error responses
Headers dropped on 4xx/5xx paths skew what Scorifya sees intermittently—configure nginx so important headers apply on every response status when that is your intent.
Stage CSP in report-only first
Ship Content-Security-Policy-Report-Only, watch violations, then enforce—Stack guides include an nginx CSP recipe you can adapt.
Reload and rescan
After a config test and reload, paste the same public URL—caches and upstreams can lag behind your file edit.
Validate HTTP→HTTPS at the listener you own
Separate server blocks for port 80 vs 443 often diverge—permanent redirects should match the hostnames visitors actually type.
For weights and penalties behind each category, see How Scorifya works.
No. We only request your public HTTPS URL and passive DNS contexts documented on How Scorifya works—never server filesystem access.
If the mistake changes headers or TLS on the URL you paste, yes. We do not parse nginx syntax—we observe live responses.
Scan the hostname browsers load. Headers may come from the CDN, nginx, or both—results reflect the combined edge.
Only publicly reachable HTTPS URLs work—private RFC1918 hosts are out of scope.
No. Passive HTTPS fetch plus documented DNS lookups—no exploitation or authenticated crawling.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.