I scanned 20 famous SaaS landing pages for security. Here's the report card.
Stripe scored 98. GitLab scored 70. In between: GitHub, Figma, Notion, Linear, and 14 others. Here is what the public-facing hardening actually looks like across 20 dev-loved SaaS sites, and what almost every one of them is still missing.

The setup
20 SaaS landing pages that show up in every developer's bookmark bar. Each one got the same scan: a 0-100 security score across five categories using the same public methodology as the Scorifya scanner. No penetration testing, no auth bypass, no scraping behind login. Just the public-facing hardening signals anyone with a browser can see.
Categories: TLS and HTTPS configuration, security headers, exposure and hygiene, cookie practices, and DNS and email signals.
The leaderboard
**Top 5:** stripe.com 98 (Strong), github.com 89 (Good), resend.com 88 (Good), openai.com 86 (Good), figma.com 85 (Good).
**Bottom 5:** shopify.com 76 (Good), supabase.com 76 (Good), posthog.com 74 (Fair), railway.app 71 (Fair), gitlab.com 70 (Fair).
The spread is tighter than expected. 16 of 20 sites landed in the Good band (75-89). Only Stripe crossed into Strong territory. Three sites finished in Fair.

What almost everyone is missing
**DNSSEC: 19 of 20 sites don't have it.** DNSSEC protects the DNS lookups themselves from tampering. The upside is invisible unless you get attacked, which is why nobody runs it. Most DNS providers now offer it in one click.
**MTA-STS and TLS-RPT: 18 of 20 sites are missing both.** These two DNS records prevent passive downgrade attacks on your outbound email and give you a reporting channel when someone tries. If you send mail from your domain, both are worth adding.
**Permissions-Policy and Cross-Origin-Opener-Policy: 17 of 20 sites don't ship either.** These are modern browser security headers that opt your site out of legacy browser features and isolate it from cross-window attacks. One line each in a CDN response header rule.

The best in class: Stripe at 98
Stripe's only deductions across the entire scan: minus 1 for DNSSEC and minus 1 for Permissions-Policy. Perfect TLS, full security header suite, no exposed sensitive subdomains, all cookies set with Secure, HttpOnly, and SameSite. Their security headers category alone scored 32 out of 33.
This is what well-hardened looks like at scale. Not exotic, but consistent across every surface the scanner probes.
The surprising worst: GitLab at 70
GitLab's TLS is perfect at 32 out of 32. Their security headers category scored 9 out of 33. The single biggest miss: no Content-Security-Policy at all. That is a minus 10.
Add clickjacking protections unclear, X-Content-Type-Options missing, and Referrer-Policy missing. For a code-hosting platform that also sells security features, none of these are exotic. All four can be fixed in an afternoon in nginx or in a CDN response rule.
The high-leverage fixes
If you ship a SaaS landing page, these four are the best return on an afternoon:
**1. Add a Content-Security-Policy.** No `unsafe-inline`. Use nonces or hashes for scripts you can't remove. This blocks an entire class of XSS.
**2. Set Permissions-Policy, Cross-Origin-Opener-Policy, Referrer-Policy, and X-Content-Type-Options.** Three lines each in your CDN config. Together they close most of the easy browser-side attack surface.
**3. Submit your domain to hstspreload.org.** Free, takes five minutes, hardcodes HTTPS into every browser that has ever visited your site.
**4. Add MTA-STS and TLS-RPT DNS records.** Both prevent passive email downgrade attacks and cost nothing to add.
If you want to see which of these your own domain is missing, run it through the Scorifya scanner. It returns a 0-100 score plus the top actionable findings in about 10 seconds.
Try a scan on scorifya.com, read how we score, or see Pro for unlimited scans and exports.
Get a weekly digest
New KEV CVE notices and (later) score changes on the domains you watch. One email a week, easy unsubscribe. We don't share or sell your address.
By subscribing you confirm you can receive transactional security updates from Scorifya at this email.