Loading…
Loading…
Duda sites
Duda handles platform patches and HTTPS certificates across its hosting infrastructure, but browser security headers like HSTS, CSP, and X-Frame-Options are not set by default, and Duda's editor offers no native controls for them. For agencies running dozens of client sites, those gaps can silently accumulate across the portfolio whenever domains are connected, widgets are installed, or email DNS is not configured per client.
Paste any Duda-hosted client site URL. Scorifya checks HTTPS posture and redirects, security headers (HSTS, CSP, X-Frame-Options, and more), passive SPF/DMARC/MX signals per client domain, and cookie hints when responses carry Set-Cookie. It does not log into Duda's editor or read your client list. Results in under 30 seconds.
This page is written for people searching for Duda security check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, typical SMB client site post-launch
TLS and platform-managed headers look fine; the gaps are a missing CSP and incomplete email DNS for the client's domain.
Content-Security-Policy not set
Widgets and embeds added through the editor inject scripts; without CSP, browsers rely on defaults.
DMARC missing
Even local SMBs benefit from publishing SPF + a starter DMARC. It stops their domain from being used in phishing attempts.
Permissions-Policy missing
A short header denying unused features (camera, microphone, geolocation) is low-risk and improves the score.
Example B, agency-managed client behind Cloudflare
Headers and DNS both look mature. Remaining items are typically banner hygiene and small CSP refinements.
DMARC policy not at enforcement
Reports are flowing for the client's sender. Once aggregate reports stabilize, move policy to p=quarantine then p=reject.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but tend to surface during hygiene passes.
Front client domains with Cloudflare for managed headers
Putting client domains on Cloudflare gives the agency one place to set HSTS, CSP, and Permissions-Policy across the entire portfolio, no per-site nginx config required. A single Cloudflare Transform Rule can apply headers to every client domain sharing the same security baseline.
Make SPF + DMARC part of every launch checklist
Even for clients who don't think they send mail, publishing SPF + a starter DMARC blocks domain impersonation. Add it to your DNS-handover template so it ships with every site, not just the ones clients request.
Standardize HTTPS redirect chains across the portfolio
Make sure each client's apex and www redirect cleanly to one canonical HTTPS URL. Build a redirect-verification step into your launch runbook. A consistent chain across the portfolio is easier to maintain than per-client exceptions.
Audit client widget choices before publish
Live chat, scheduling, and form widgets inject scripts. If you ship a CSP at the CDN layer, plan the allowlist around the widgets actually in use for that client. A shared template won't cover client-specific embeds.
Re-scan across the portfolio quarterly
Each client edit, plugin install, or DNS change can move the score. A quarterly portfolio scan catches drift before clients ask about it.
For weights and penalties behind each category, see How Scorifya works.
Duda's hosting infrastructure is reliable and handles TLS certificates and platform patches. However, Duda does not set browser security headers like HSTS, CSP, or X-Frame-Options by default, and the Duda editor provides no native controls for them. These must be added at a CDN layer (such as Cloudflare) in front of each client's connected domain. A Duda-built site can be made secure, but it requires configuration beyond what the platform provides out of the box.
Not natively. Duda serves HTTPS on connected domains but does not send a Strict-Transport-Security header by default. To add HSTS, agencies typically front client domains with Cloudflare and inject the header there. Without it, browsers cannot enforce HTTPS-only connections on return visits.
Duda's editor does not expose response header controls. The most reliable approach for agencies is to proxy client domains through Cloudflare and add CSP there as a Transform Rule. Duda widgets and embeds load from external origins, so any CSP needs to allow those sources.
The most common findings are: missing HSTS header, no Content-Security-Policy, absent X-Frame-Options, incomplete SPF/DMARC per client domain, and missing Permissions-Policy. These are edge-layer gaps that accumulate across an agency portfolio, fixable by fronting client domains with Cloudflare and adding security headers there.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access your editor, client list, or workspace.
This page is for ad-hoc URL pastes. For portfolio coverage, sign up and use the Pro watchlist + scheduled re-scans to track multiple sites in one place.
Each client has their own custom domain, DNS, and possibly different fronting CDNs. The template is the same; the public posture differs.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.