Loading…
Loading…
Cookies and privacy
We use strictly necessary cookies to run the site. With your permission we also load Vercel Web Analytics and Speed Insights to measure traffic and performance in aggregate. See our Cookie Policy and Privacy Policy.
Security score
A single headline score helps executives and builders agree on priority—but only when it reflects transparent categories you can improve without guessing how points disappeared.
Scorifya publishes one 0–100 score combining TLS & HTTPS, security headers, exposure & hygiene, cookie practices on the scanned response, and passive DNS/email signals—each documented with weights you can read on our methodology page.
This page is written for people searching for website security score—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A — uneven strengths across categories
Solid TLS pulls the overall score up while headers remain the fastest lever for the next sprint.
Headers trail TLS maturity
HSTS exists but CSP remains absent—closing that gap lifts the Security headers bucket without touching certificates.
DNS/email nearly capped
SPF and DMARC cooperate—remaining deductions stem from alignment polish rather than missing records.
Example B — stakeholder-ready summary
Overall score lands in Fair until TLS downgrade paths close—ideal narrative for prioritizing infra tickets.
HTTP entrypoints inconsistent
Some hosts answered without permanent HTTPS redirects—deductions emphasize downgrade-friendly paths.
Legacy TLS negotiation accepted
Older protocols remain enabled—modern clients ignore them, but their presence keeps TLS points lower.
Verbose banners leak implementation hints
Hygiene deductions remind operators to strip noisy Server headers via CDN rules.
Read category caps before debating totals
Each bucket has its own maximum—fixing TLS alone cannot compensate for absent headers once TLS approaches its cap.
Tackle findings in severity order
Scorifya lists prioritized actions—closing downgrade-friendly redirects usually beats polishing informational banners.
Measure deltas after fixes
Rescan the same URL to prove migrations helped; exporting historical scores via Pro keeps audits tidy.
Share methodology links with reviewers
Stakeholders comparing Scorifya to single-purpose tools should read How Scorifya works for context on breadth vs depth.
Pair score work with operational testing
Great configuration still needs application security discipline—use the scorecard as one input among many.
For weights and penalties behind each category, see How Scorifya works.
Five weighted base categories — plus a conditional WordPress category when WordPress is detected — roll up into the total, with documented penalties per finding. Visit How Scorifya works for formulas and caps.
Yes. Buckets can balance differently—for example strong TLS might offset weaker headers until you improve both.
No. The score summarizes public hardening signals, not exploitability, business logic flaws, or insider risk.
Not necessarily. Scorifya evaluates the URL you paste; other paths may send different headers or cookies.
Free scans help ad hoc checks. Pro unlocks exports and higher watch limits when you need continuity for a program.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on headers or deploying changes, you'll likely run multiple checks as you tighten config. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.