Loading…
Loading…
Free website security check
Enter your site for a free 0–100 security score across TLS, headers, DNS, and cookies, with a prioritized fix list. No signup, no card, no install.
Most sites aren’t as secure as they look — across 235 sites we’ve scanned, the average score is 76/100, and only 45% reach 80+. See where yours lands.
Trusted to score real sites
Scores sites like Stripe · GitHub · Shopify · Google · GitLab · Etsy · Cloudflare · Notion, and thousands more.
A 30-second look at what a Scorifya scan checks and the score it gives any website.
In plain terms: is your site served securely, can attackers impersonate your email, and is anything exposed that shouldn’t be? We grade six areas and roll them into one 0–100 score. The technical detail is below if you want it.
Certificate validity and expiry horizon, weak public-key sizes, cipher quality, TLS 1.0/1.1 acceptance, and HTTP→HTTPS redirect coverage.
HSTS (plus live preload-list verification), fine-grained CSP grading (unsafe-inline, unsafe-eval, wildcards, object-src, report-only), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and third-party script SRI coverage.
security.txt (RFC 9116), robots.txt analysis, verbose server banners, directory listings, sensitive path probes, origin-IP exposure behind CDN/WAF, and a passive tech-stack fingerprint.
Secure / HttpOnly / SameSite on session-like cookies when visible in response headers.
Already know what you want to test? Each of these runs the same engine as the full scorer, narrowed to one category.
See all standalone tools: /tools (also includes SPF, DKIM, and a combined email-auth checker).
Standalone checkers, deploy-ready hardening recipes, and the live KEV vulnerability feed.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Jump straight to the most common security questions people Google, with the same scan tool embedded.
New scans, quick security tips, and a weekly leaderboard of real sites. Pick your platform.
SPF, DMARC (with parent-domain heuristic), common DKIM selectors, MX, CAA, MTA-STS, TLS-RPT, BIMI, DNSSEC validation, Certificate Transparency log discovery, and subdomain-takeover detection — no port scan.
Installer and setup-config endpoint exposure, REST user enumeration (/wp-json/wp/v2/users), XML-RPC, and readme.html version disclosure.
Full methodology: How Scorifya works — published category weights, per-finding penalties, and the boundaries of a public scan.