Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Paste any URL you're authorized to test. Scorifya negotiates TLS, samples cipher suites, validates the certificate chain, and walks the redirect chain to confirm the final hop is HTTPS.
Free tool
A modern TLS posture means TLS 1.2+ only, AEAD cipher suites, a valid certificate chain, and clean HTTP-to-HTTPS redirects. Each of those four moves independently — disabling TLS 1.0 doesn't fix a wildcard cert mismatch — so you need a tool that surfaces all of them in one pass.
Paste any URL you're allowed to test. Scorifya negotiates TLS, lists the protocols your server accepted, samples the cipher suites, validates the certificate chain and expiry window, and walks the HTTP redirect chain to confirm the final hop is HTTPS. The TLS category sits inside the broader 0–100 hardening score so you see the full picture.
This page is written for people searching for TLS checker—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — site offers legacy TLS versions
TLS 1.2 and 1.3 are accepted, but TLS 1.0/1.1 are still offered. PCI 4.2.1 and HIPAA guidance both require disabling them.
TLS 1.0 / TLS 1.1 still offered
Disable at your TLS terminator (CDN, load balancer, web server). RFC 8996 deprecated both; modern clients do not need them.
Weak cipher suite accepted
Older CBC or SHA-1-based suites still negotiate. Tighten to AEAD only (AES-GCM, ChaCha20-Poly1305).
Certificate expires in 18 days
Renew now and verify both staging and production picked up the new cert. Automate ACME if you haven't.
Example B — modern TLS posture
TLS 1.2 + 1.3, AEAD ciphers only, valid cert with a long lifetime, clean redirect chain. The remaining gap is preload eligibility.
HSTS missing preload directive
If every subdomain is HTTPS-ready, consider submitting to hstspreload.org. See /learn/http-strict-transport-security.
Disable TLS 1.0 and 1.1
One-line config change at your TLS terminator. RFC 8996 deprecated both; major browsers stopped supporting them in 2020.
Restrict to AEAD cipher suites
Use a 'modern' or 'restricted' cipher profile (Mozilla's SSL Configuration Generator outputs ready-to-use configs).
Automate certificate renewal
ACME / Let's Encrypt or your CDN's managed certs eliminate the human bottleneck behind most expiry outages.
Force HTTPS on every redirect hop
Ensure no HTTP hop appears anywhere in the redirect chain. Search configs for http:// and replace with https://.
Plan TLS 1.3 if you haven't already
TLS 1.3 is the default in modern CDNs. If you self-terminate, confirm 1.3 is enabled — it's faster and has a smaller attack surface.
For weights and penalties behind each category, see How Scorifya works.
All published versions: TLS 1.0, 1.1, 1.2, and 1.3. The scan reports which versions your server accepts and flags the deprecated ones.
Yes. Scorifya samples whether your server accepts known-weak suites (CBC, RC4, SHA-1) and reports any that negotiate successfully.
No — SSL Labs goes deeper on cipher analysis and certificate transparency. Scorifya gives you the TLS posture as one category alongside the rest of your public hardening.
Yes — Scorifya flags certs expiring within 30 days and within 7 days. Pro adds the watchlist + scheduled re-scans, so you can monitor a portfolio of domains and get email alerts.
No. Scorifya tests server-side TLS only. Mutual TLS authentication is out of scope for any external scanner.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.