Your website’s security score in seconds.

What we check

Five weighted base categories — plus a WordPress pack that activates only when we detect WordPress — scored independently and rolled up into the single 0–100 number.

• 1TLS & HTTPS

  Certificate validity and expiry horizon, weak public-key sizes, cipher quality, TLS 1.0/1.1 acceptance, and HTTP→HTTPS redirect coverage.

• 2Security headers

  HSTS (plus live preload-list verification), fine-grained CSP grading (unsafe-inline, unsafe-eval, wildcards, object-src, report-only), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and third-party script SRI coverage.

• 3Exposure & hygiene

  security.txt (RFC 9116), robots.txt analysis, verbose server banners, directory listings, sensitive path probes, origin-IP exposure behind CDN/WAF, and a passive tech-stack fingerprint.

• 4Cookies

  Secure / HttpOnly / SameSite on session-like cookies when visible in response headers.

• 5DNS & email

  SPF, DMARC (with parent-domain heuristic), common DKIM selectors, MX, CAA, MTA-STS, TLS-RPT, BIMI, DNSSEC validation, Certificate Transparency log discovery, and subdomain-takeover detection — no port scan.

• 6WordPressActivates only when we detect WordPress

  Installer and setup-config endpoint exposure, REST user enumeration (/wp-json/wp/v2/users), XML-RPC, and readme.html version disclosure.

Full methodology: How Scorifya works — published category weights, per-finding penalties, and the boundaries of a public scan.

Focused checks

Already know what you want to test? Each of these runs the same engine as the full scorer, narrowed to one category.

• TLS checker→Protocols, ciphers, cert, redirect chain
• Security headers→HSTS, CSP, frame, MIME, referrer, permissions
• DMARC checker→Policy, alignment, rollout posture
• Cookie inspector→Secure, HttpOnly, SameSite on session cookies

See all standalone tools: /tools (also includes SPF, DKIM, and a combined email-auth checker).

Tools, guides & reference

Standalone checkers, deploy-ready hardening recipes, and the live KEV vulnerability feed.

• Free standalone tools→TLS, headers, cookies, DMARC, SPF, DKIM
• Developer API→Run scans from curl, JS, Python — free 10/day
• Stack guides→Deploy-ready recipes by platform
• Latest CVE notices→Curated vuln signals separate from scoring
• Topic explainers→What CSP, HSTS, CORS, DMARC, and TLS each do
• Compliance mapping→PCI DSS, HIPAA, SOC 2, ISO 27001
• Industry benchmarks

Popular checks

Jump straight to the most common security questions people Google, with the same scan tool embedded.

• Website security scanner→
• Check website security headers→
• HTTP security headers checker→
• Is my website secure?→
• Website security score→