Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Security scanner
Most teams want a quick sanity check before investing in deeper audits—but assembling TLS graders, header testers, and DNS lookups separately burns time and yields conflicting narratives.
Paste any URL you are allowed to test publicly. Scorifya combines TLS and redirect behavior, security headers, exposure and hygiene cues, cookie attributes when visible, passive SPF/DMARC/MX context, and infrastructure hints into one explainable 0–100 score with prioritized fixes—not exploitation or authenticated crawling.
This page is written for people searching for website security scanner—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — HTTPS works, headers lag behind
Certificates validate and redirects mostly cooperate, yet browser-facing protections still leave meaningful points on the table.
Content-Security-Policy missing
Without CSP, injected scripts face fewer browser-enforced limits—staging report-only policies helps catalog real dependencies.
Anti-framing protections absent
Neither frame-ancestors nor legacy framing headers appeared—evaluate exposure if partners embed your UI.
DMARC unpublished
Mail might send with SPF alignment while receivers lack DMARC guidance—publish policy gradually toward enforcement.
Example B — disciplined public posture
TLS, redirects, and headers reinforce each other; findings shrink to hygiene polish or staged CSP tightening.
Server banner still verbose
Fingerprinting deductions encourage quieter defaults—often fixed alongside CDN rule cleanup.
DMARC monitoring-only
Policy exists but stays at “none”—advance once authenticated mail streams prove stable.
Close TLS downgrade paths
Ensure HTTP endpoints permanently redirect to HTTPS and retire legacy TLS where traffic allows.
Layer HSTS deliberately
Match max-age and includeSubDomains to real coverage; expand after validating every subdomain serves HTTPS.
Introduce CSP iteratively
Use report-only mode, remediate noisy violations, then enforce tighter script and frame directives.
Publish resilient mail DNS
SPF, DKIM, and staged DMARC protect both inbound trust and outbound brand reputation tied to your hostname.
Scan after each deployment wave
Platform migrations routinely regress headers—bookmark Scorifya as a smoke test alongside functional QA.
For weights and penalties behind each category, see How Scorifya works.
No. We never attempt exploits or brute-force authenticated areas. Results summarize passive TLS, headers, DNS/email hints, and hygiene.
Only if they resolve publicly without VPN or passwords. Private RFC1918 hosts stay unreachable from our scanners.
No. Scorifya evaluates configuration signals visible over HTTPS—not filesystem scans or antivirus-style detection.
CDNs cache headers and certificates independently from your app servers; DNS TTLs and third-party proxies also shift outcomes.
After DNS edits, TLS renewals, CDN rule pushes, or major releases—weekly cadence helps teams watching production churn.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.