Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Shopify stores
Customers judge trust in milliseconds—broken redirects, weak cookie posture on your storefront hostname, or missing browser protections can undermine confidence even when checkout itself is handled under strict standards elsewhere.
Paste the exact storefront URL shoppers load—custom domain or hosted hostname. Scorifya summarizes TLS behavior, observable headers on that HTTPS response, passive SPF/DMARC/MX signals for your domain label, and cookie hints when Set-Cookie appears. You still manage admin policies, apps, and payments compliance separately; this pass benchmarks what the public edge exposes.
This page is written for people searching for Shopify security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — storefront URL after new apps or theme edits
HTTPS looks healthy, but layered apps or proxies sometimes strip headers or weaken cookie attributes visible on HTML responses.
Cookie SameSite / Secure signals weak
Cart and analytics integrations rely on cookies—flags should match how embedded widgets and checkout flows behave.
Anti-framing directive missing
Without frame-ancestors or equivalent protections, storefront pages may be embeddable in ways that enable clickjacking-style UI tricks.
Email authentication gaps on marketing domain
SPF alone is common; DMARC at enforcement reduces spoofed messages that impersonate your brand when you send from the same domain.
Example B — stronger header baseline on the same origin
TLS, redirects, and browser-side headers line up for typical shopping traffic; remaining notes are usually email DNS polish or niche subdomains.
CSP could tighten third-party script allowances
A policy exists but still whitelists broad hosts—iterate as you retire legacy marketing pixels.
Optional HSTS preload eligibility
Preload is a commitment that every subdomain serves HTTPS-only; many stores skip it until DNS and assets are fully consistent.
Treat the storefront hostname as your edge contract
Scan the URL customers type, not an internal preview link. Headers and TLS must hold for that hostname after every app or CDN tweak.
Coordinate headers across apps and proxies
Some integrations inject middleware—confirm important headers survive your reverse proxy or storefront pipeline.
Stage CSP alongside marketing scripts
Report-only CSP helps catalog real script sources before you shrink allowances tied to analytics or personalization vendors.
Align DMARC with Shopify Email and ESP domains
If marketing sends from your brand domain, progressive DMARC protects recipients without touching checkout scope.
Schedule rescans around launches
Black Friday builds, domain moves, and headless experiments frequently regress headers—paste the URL again after each go-live.
For weights and penalties behind each category, see How Scorifya works.
No. Scorifya reads only the public storefront response for the URL you enter. Admin policies remain outside this passive view.
No. Checkout assurance follows its own programs. This scan reflects TLS, headers, DNS/email hints, and hygiene on the pasted storefront URL.
Scan whichever hostname shoppers actually load. TLS certificates, redirects, and DNS records differ between labels even when content mirrors.
Apps, scripts, external proxies, or DNS routing may alter responses. Always trust what Scorifya fetches live rather than assumed defaults.
No. Anything requiring credentials or unpublished tokens cannot be fetched—use a publicly reachable staging mirror when safe policy allows.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.