Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Squarespace sites
Squarespace handles much of the heavy lifting, but your published hostname still picks up unique DNS records, connected services, and headers visitors actually receive—those layers drift whenever you wire up email, domains, or embedded marketing tools.
Paste your live site URL (primary domain or connected hostname). Scorifya summarizes HTTPS posture and redirects, headers returned with your HTML edge response, passive SPF/DMARC/MX lookups aligned with published methodology, and hygiene cues—without signing into your site builder.
This page is written for people searching for Squarespace security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — marketing domain sends mail but DNS lags
Visitors see TLS working, yet passive mail authentication signals remain incomplete—a frequent gap after launching newsletters.
DMARC record missing
SPF might exist while DMARC stays unpublished—spoofed mail using your domain remains harder to detect for receivers.
Legacy TLS accepted
Older TLS versions sometimes linger at shared edges; retiring them improves posture for visitors on modern browsers.
Framing protections absent
If embed-heavy landing pages rely on partner iframes, confirm anti-framing headers still match how your templates behave.
Example B — tighter DNS plus stronger headers
HTTPS and headers align with visitor expectations while mail DNS catches up—remaining notes tend to be hygiene polish.
DMARC still monitoring-only
Policies starting at “none” are normal—advance toward enforcement once legitimate mail streams authenticate cleanly.
Verbose fingerprint hints
Small hygiene deductions remind teams to strip noisy banners during periodic reviews—not usually urgent.
Verify DNS where Squarespace points mail
After connecting domains or third-party mailers, SPF and DMARC must reflect actual sending sources—not stale templates.
Scan after domain connection changes
Squarespace DNS edits propagate unevenly; rerun Scorifya once TTLs expire so TLS and MX snapshots match reality.
Treat embedded widgets as CSP stakeholders
Embedding calendars, podcasts, or storefront widgets changes script sources—stage CSP accordingly.
Confirm redirects cover apex and www
Visitors bookmark both variants; Scorifya rewards predictable HTTPS upgrades everywhere.
Bookmark rescans before launches
Campaign pushes often tweak DNS or proxied assets—paste your URL again after each publish.
For weights and penalties behind each category, see How Scorifya works.
No. We fetch only your public URL and passive DNS contexts documented on our methodology page—never authenticated dashboard views.
Documentation describes intent; Scorifya measures live responses. Connected domains, scripts, or DNS overrides may differ.
Only if the URL is reachable without credentials. Password-protected or staging URLs stay out of scope.
No—it surfaces passive SPF/DMARC/MX hints so you know where work remains with your DNS provider or ESP.
Certificates, redirects, and headers can diverge between hostnames even when pages look identical—scan both when unsure.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.