Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Small business
Small teams juggle hosting, domains, email, and marketing tools—without a dedicated security group, it is easy to miss weak HTTPS behavior, missing headers, or unfinished mail authentication while the site still looks normal to customers.
Paste your public homepage or primary domain—the same free Scorifya pass as everywhere else. You get TLS and redirect behavior, security headers browsers rely on, passive SPF/DMARC/MX context for your brand domain, cookie hints when responses expose them, and hygiene signals—explained so owners and freelancers can act without a jargon worksheet.
This page is written for people searching for small business website security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — busy storefront or brochure site before cleanup
Visitors reach HTTPS often enough, but inconsistent redirects and absent headers leave room before you claim strong posture.
HTTP→HTTPS redirects uneven
Some entry paths still answer without a clean permanent redirect—bookmark downgrade risk until fixed.
HSTS not published
Browsers lack a cached HTTPS-only mandate for returning visitors until HSTS ships with sensible max-age.
Framing protections missing
If booking widgets or partner embeds wrap your pages, framing headers deserve a deliberate policy.
Example B — tightened baseline teams maintain quarterly
Redirects and TLS feel predictable; headers cover primary risks while mail DNS follows a staged rollout.
CSP permissive but present
A policy exists—iterate toward tighter script allowances as marketing stacks simplify.
DMARC advancing toward enforcement
Monitoring phase validated legitimate mail—next steps tighten spoofing windows gradually.
Ask your host or agency for HTTPS end-to-end
Request permanent redirects from HTTP to HTTPS on apex and www before debating exotic protections.
Publish staged DMARC when you send as your domain
Newsletters and receipts should authenticate—SPF plus DKIM alignment sets up safer DMARC policies.
Schedule rescans after big edits
Theme swaps, DNS moves, or new booking tools shift headers—rerun the check the day after go-live.
Share the score with whoever controls DNS
Mail and subdomain records live in DNS consoles—forward findings so the right vendor can act.
Pair Scorifya with good backups and updates
Configuration scoring complements routine maintenance—it does not replace patches or malware monitoring.
For weights and penalties behind each category, see How Scorifya works.
No—paste your URL and read plain-language findings. Technical teammates still help implement CDN or DNS changes faster.
We evaluate the URL you enter plus passive DNS contexts documented on How Scorifya works—not full-site crawling.
It gives a credible baseline for public hardening—not compliance certification, penetration testing, or policy advice.
Only run checks on URLs you own or have explicit permission to test—respect robots guidance and acceptable use.
Hosting bundles, CDN rules, SSL renewals, and DNS TTLs change independently from your content edits.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.