Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Security headers
Important protections—like strict transport, content policies, and anti-framing—live in HTTP headers. When releases skip header reviews, browsers quietly ship weaker defenses even though pages still load fine.
Paste the URL visitors load publicly. Scorifya reads response headers together with TLS behavior and passive SPF/DMARC/MX signals, then explains gaps in plain language with prioritized fixes—not a raw header dump alone.
This page is written for people searching for security headers check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — HTTPS fine, policies incomplete
Certificates validate while CSP or framing guidance still leaves meaningful Security-headers bucket points on the table.
Content-Security-Policy missing
Without CSP, browsers rely on defaults—risk increases as third-party scripts and embeds accumulate.
Anti-framing not enforced
Neither frame-ancestors nor a framing header appeared—revisit if partners embed your UI in iframes.
Example B — mature header set
Core protections align with deployed assets; remaining notes invite tighter CSP allowances over time.
CSP allows broader script origins than ideal
Functional allowances linger—trim hosts once telemetry confirms unused vendors.
DMARC still in monitoring mode
SPF alignment exists while receivers see policy “none”—advance after mail streams authenticate cleanly.
Inventory headers at every edge
CDNs and proxies rewrite responses—confirm CSP and HSTS survive the path from origin to browser.
Stage CSP with report-only first
Collect real violations before enforcing stricter script-src or frame-ancestors directives.
Pair HSTS coverage with redirect facts
Grow max-age only after HTTP permanently upgrades to HTTPS on every hostname visitors use.
Align framing rules with embed partners
Marketing iframes may need explicit frame-ancestors allowlists instead of blanket deny defaults.
Rescan after each deploy
Header regressions are common—paste the same URL again after releases.
For weights and penalties behind each category, see How Scorifya works.
Headers drive much of the Security-headers bucket, but Scorifya also scores TLS behavior, passive DNS/email hints, hygiene, and cookies when visible—same engine as the homepage.
Not necessarily. Only the URL you paste is fetched—normalize headers upstream if routes diverge unintentionally.
No. We perform passive HTTPS requests and documented DNS lookups—not browsing automation or exploitation.
Yes when the URL is public HTTPS—remember APIs consumed server-side may show different headers than browser pages.
DevTools helps interactively; Scorifya adds weighted scoring, TLS context, mail DNS snapshots, and export-friendly summaries.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.