Loading…
Loading…
Framer sites
Framer handles hosting and TLS reliably, but it does not set HSTS, CSP, or most browser security headers by default, and Framer's editor provides no way to configure them. Those gaps live at the edge layer and are invisible inside the canvas. Sites that look finished in the Framer editor can still score poorly on the headers browsers actually enforce.
Paste the URL you publish to, usually your apex domain or www host. Scorifya checks HTTPS posture and redirects, security headers (HSTS, CSP, X-Frame-Options, and more), passive SPF/DMARC/MX signals for your domain, and cookie hints when responses carry Set-Cookie. It does not log into your Framer workspace or read your designs. Results in under 30 seconds.
This page is written for people searching for Framer security check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, fresh Framer site on a connected domain
TLS and most browser headers look good out of the box. Email DNS plus a couple of optional headers leave points on the table.
DMARC missing
Even if you don't actively send transactional mail from your apex, publishing SPF + a starter DMARC blocks impersonation attempts.
Content-Security-Policy not set
Framer-hosted sites don't ship CSP by default. If you embed code components or third-party scripts, CSP is the highest-leverage header to add.
Permissions-Policy missing
Explicit denies for camera/microphone/geolocation are a short, low-risk header to add at any fronting CDN.
Example B, Framer site behind Cloudflare with custom headers
Headers and TLS line up consistently across hosts. The remaining gaps are typical email-DNS maturity items.
DMARC policy not at enforcement
Reports are flowing, but moving past p=none is what stops spoofed mail from reaching inboxes.
Verbose Server banner
Fingerprinting hints rarely flip the score alone but show up during hygiene passes.
Add HSTS via Cloudflare in front of Framer
Framer does not send Strict-Transport-Security by default. Route your custom domain through Cloudflare and add the HSTS header there with a minimum one-year max-age. A Framer site can't set this header from inside the editor.
Audit code components before writing a CSP
Framer code components can inject inline scripts and load external APIs. List every external origin your components use, then write a CSP at your Cloudflare proxy layer. Inline scripts need nonces or must move to external files for CSP to work correctly.
Publish SPF and DMARC for your apex even if you don't send mail
Even brochure sites benefit from email-auth records. They prevent your brand from being used in phishing campaigns. Publishing a starter DMARC record takes minutes and immediately closes a gap attackers exploit.
Connect your custom domain on apex and www
Make sure both hosts redirect cleanly to one canonical version with HTTPS. Framer handles certs; the redirect logic and host coverage are still on you.
Re-scan after each publish or DNS change
Each publish, domain switch, or DNS edit shifts what we observe. A fresh paste of the same URL catches regressions early, especially after adding or removing code components.
For weights and penalties behind each category, see How Scorifya works.
Framer's hosting infrastructure is reliable and handles TLS certificates automatically. However, Framer does not set HSTS, CSP, X-Frame-Options, or most browser security headers by default, and the Framer editor provides no way to configure them. Those must be added at a CDN proxy layer in front of your published domain. A Framer site can be made secure, but it requires configuration outside of Framer.
Not natively. Framer serves HTTPS but does not send a Strict-Transport-Security header by default, and there is no HSTS setting inside the Framer editor. To add HSTS, you need to front your custom domain with a CDN like Cloudflare that injects the header on every response.
Framer provides no way to set arbitrary response headers from inside the editor. The most reliable approach is to proxy your published domain through Cloudflare and add CSP there. If you use Framer code components, they may inject inline scripts that require nonces or external script files for a strict CSP to work.
The most common findings are: missing HSTS header, no Content-Security-Policy, absent Permissions-Policy, and incomplete SPF/DMARC records for the sending domain. These are edge-layer gaps, not Framer platform vulnerabilities, all fixable with a Cloudflare proxy in front of your published domain.
No. Scorifya only requests the URL you paste and follows redirects. It cannot access your Framer projects, drafts, or team data.
Framer handles certs and platform patches. The score reflects what visitors' browsers see end-to-end: redirects, headers, DNS, and email signals, most of which depend on your domain config, not Framer's hosting.
Preview URLs and your published custom domain can have different headers and redirect chains. Always scan the live URL visitors actually load.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.