Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Webflow sites
Publishing in Webflow is fast—but DNS cutovers, reverse proxies, and heavy script embeds quickly change what browsers fetch. Teams need an objective snapshot of TLS, headers, and mail DNS without exporting Designer credentials.
Paste your production hostname—custom domain or default subdomain once it is publicly live. Scorifya checks HTTPS behavior and redirects, headers on the fetched response, passive SPF/DMARC/MX signals, cookie attributes when present, and hygiene cues. Designer permissions and CMS roles stay out of scope.
This page is written for people searching for Webflow security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — marketing site after embed-heavy launch
Animations and third-party scripts load, but CSP and framing controls often trail feature velocity—costing header points.
Content-Security-Policy missing
Marketing stacks with many embeds postpone CSP—Scorifya flags the gap so you can stage report-only policies early.
Strict-Transport-Security absent
HTTPS may work while first-visit downgrade windows remain until HSTS is served consistently on the apex and subdomains you use.
Mixed mail authentication
Brands often publish sites before SPF/DMARC catch up with newsletter tools—passive DNS highlights the mismatch.
Example B — tuned edge after iterative deploys
Redirects, TLS, and core headers match what production traffic should see; remaining work is tightening allowances or finishing mail DNS.
CSP still allows broad script hosts
A policy exists but whitelists large CDNs—iterate as you consolidate vendors.
Optional transport reporting for mail
When MX exists, MTA-STS and TLS reporting are additive—Scorifya notes their absence when relevant.
Publish with the same hostname users share
Scan the canonical marketing domain, not preview links. Redirect chains and certificates differ between staging and production hosts.
Coordinate proxy headers with hosting
If you front Webflow with another network, verify HSTS, CSP, and framing headers survive the combined stack.
Roll CSP with your embed inventory
Export a list of script and frame sources from production, then mirror them in CSP before tightening directive by directive.
Finish mail DNS alongside brand launches
SPF, DKIM alignment, and DMARC protect the same domain visitors trust—advance policies as legitimate senders authenticate.
Automate rescans around client handoffs
Agencies often tweak DNS at project end—bookmark this check to prove the edge configuration before you sign off.
For weights and penalties behind each category, see How Scorifya works.
No. Only the public URL is requested. Anything behind authentication remains invisible to passive checks.
Whichever hostname your audience loads in production. TLS and DNS records differ, so scan both if you operate both publicly.
No. Collaboration and permission models are out of scope; we focus on browser-visible TLS, headers, passive DNS/email, and hygiene.
Scorifya requests the exact URL you paste. Other paths or subdomains may send different headers until you normalize them upstream.
You need a resolvable hostname with working HTTPS from the public internet—local-only hosts cannot be fetched.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.