Loading…
Loading…
Drupal sites
Drupal is self-hosted, so the security headers, TLS settings, and server configuration are yours to get right, not the platform's. Two things slip most often: the response-header baseline (HSTS, CSP, X-Frame-Options) that a fresh install does not ship, and patch cadence on Drupal core and contributed modules, where security advisories land regularly. A site can be fully built and still score poorly on what browsers actually enforce.
Paste your production hostname and Scorifya checks HTTPS and TLS, security headers, passive SPF, DMARC and MX signals, cookie attributes, and exposure cues. It only reads the public URL, so no admin login is needed. Results in under 30 seconds.
This page is written for people searching for Drupal security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: established site, headers never tightened
TLS is healthy and the site is patched, but the response-header baseline was never added, so the headers category drags the score down.
Strict-Transport-Security absent
HTTPS works, but without HSTS a first-visit downgrade window stays open. The header is set in your web server or reverse proxy, not in Drupal itself.
Content-Security-Policy missing
Drupal themes and modules load scripts from several origins, so a CSP needs an inventory first. Scorifya flags the gap so you can stage a report-only policy.
Server banner reveals version detail
A verbose Server or X-Generator header hands an attacker a version to target. Trim it at the web-server layer.
Example B: hardened server, mail DNS unfinished
Headers and TLS match what production should serve. The remaining points are in email authentication on the sending domain.
DMARC policy at p=none
A DMARC record exists but only monitors. Move to quarantine once your legitimate senders pass alignment.
CSP allows broad script hosts
A policy is in place but whitelists large CDNs. Tighten it as you consolidate the modules and libraries the theme loads.
Keep Drupal core and contributed modules patched
The single most important Drupal security task is applying security advisories promptly. Subscribe to the Drupal security advisories, watch the available-updates report in your admin, and treat core and module updates as routine, not optional. Most real-world Drupal incidents trace back to a known, already-patched flaw.
Add the security-header baseline at the server or proxy
A default Drupal install does not send HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy. Set them once in your web server (Apache or nginx) or a reverse proxy in front of the site so every response carries them.
Write a CSP after inventorying your modules and theme
List every origin your pages load scripts, styles, and fonts from (your theme assets, any analytics, embeds, and CDN libraries), then start with a report-only Content-Security-Policy and promote it to enforcing once the violation reports go quiet.
Lock down the admin and reduce what is public
Restrict access to the admin and user-login paths where you can, remove install and update scripts after use, and avoid exposing CHANGELOG or version files. Scorifya flags banner and exposure cues a passive visitor can see.
Publish SPF and DMARC if the domain sends email
If your Drupal site sends transactional or newsletter email, publish SPF and DMARC on the sending domain before launch. A missing DMARC record lets anyone spoof your domain, and Scorifya reads those records passively from DNS.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
Drupal has a strong security team and a mature advisory process, and core is considered robust when kept current. Because it is self-hosted, though, the security of any given Drupal site depends on how it is configured and patched: the response headers, TLS, server hardening, and the update cadence on core and contributed modules are the site owner's responsibility, not the platform's. A well-maintained Drupal site can score very highly.
The recurring findings are: out-of-date core or contributed modules with known advisories, a missing security-header baseline (no HSTS or CSP), verbose Server and X-Generator banners that reveal version detail, exposed install or CHANGELOG files, and incomplete SPF or DMARC when the domain sends email. Most are configuration and maintenance gaps rather than platform vulnerabilities.
No. A standard Drupal install serves HTTPS if you have configured TLS, but it does not send Strict-Transport-Security or the other browser security headers by default. You add them in the web server (Apache or nginx) or a reverse proxy. Some hosting stacks and the Security Kit (seckit) module can help, but the headers still have to be turned on deliberately.
Paste your public URL above. Scorifya passively checks TLS, security headers, passive email DNS (SPF, DMARC, MX), cookie attributes, and exposure cues, then returns a 0 to 100 score with the specific fixes. It does not log into Drupal or test for application-level exploits; it reports what a browser and public DNS reveal, which is where most quick wins are.
No. Only the public URL is requested. Anything behind the login stays invisible to these passive checks, so it is safe to run on a production site.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.