Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
TLS & HTTPS
Certificates can look fine in a browser tab while legacy protocols stay enabled, redirects behave inconsistently, or first-hop HTTP still answers without a clean upgrade—those gaps eat TLS-category points before you touch CSP.
Paste your production hostname. Scorifya scores TLS & HTTPS alongside security headers, exposure and hygiene, cookies when visible, and passive SPF/DMARC/MX signals—so TLS improvements lift the right bucket without guessing how it blends into the overall 0–100 result. Same engine as the homepage; this page frames the TLS side of the score for people searching that phrase.
This page is written for people searching for TLS security score check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — cert valid, redirect story messy
HTTPS works for common paths while port 80 or alternate hostnames still send mixed signals—TLS & HTTPS bucket carries most of the drag.
HTTP→HTTPS redirect inconsistent
Some entrypoints answered without a permanent redirect—visitors and caches see downgrade-friendly behavior.
Legacy TLS still accepted
Older protocol versions remained negotiable—modern clients ignore them, but the signal still lowers TLS scoring.
Example B — tight transport, room in headers
Redirects and certificates line up; HSTS may be present—remaining lift often comes from CSP and framing polish in the Security-headers bucket.
HSTS present with growing max-age
Policy caches in browsers—confirm every subdomain meant to inherit the policy truly serves HTTPS-only.
Content-Security-Policy could tighten
TLS is no longer the bottleneck; script and frame directives offer the next wins.
Permanent redirect every HTTP hostname
Aim for 301 (or equivalent) to the canonical HTTPS URL on apex, www, and marketing hosts visitors still type.
Disable legacy TLS where traffic allows
Retire TLS 1.0/1.1 at your terminator—Scorifya surfaces when negotiation still accepts them.
Publish HSTS deliberately
Match max-age and includeSubDomains to real coverage; expand only after proving no stranded HTTP-only services.
Watch renewal and chain completeness
Partial intermediates or nearing expiry show up as TLS findings—renew early behind the same public hostname.
Rescan after infra changes
Load balancers, CDNs, and cert imports shift negotiation—paste the URL again after each cutover.
For weights and penalties behind each category, see How Scorifya works.
TLS & HTTPS is one weighted category inside the published 0–100 score. Fixing TLS lifts that bucket up to its cap; other categories still contribute.
We summarize handshake posture relevant to our methodology—including legacy TLS acceptance—not an exhaustive cipher laboratory report.
Different virtual hosts, certs, or redirect chains produce different negotiation—scan each hostname users rely on.
Public scans target typical visitor HTTPS without client certificates—specialized endpoints may not be reachable the same way.
Strong TLS caps that category but headers, hygiene, cookies, and mail DNS still influence the headline number.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.