Loading…
Loading…
Ghost publications
Ghost is a Node app you typically front with nginx, Caddy, or Cloudflare, and that's where browser security headers actually need to live. Ghost-CLI's default nginx configuration focuses on routing, not hardening. It does not add HSTS, CSP, Referrer-Policy, or X-Frame-Options. Sites that run fine in the Ghost Admin preview can still serve bare headers to every reader.
Paste the URL readers actually load, your apex or a subdomain like blog.example.com. Scorifya checks HTTPS posture and redirects, security headers, passive SPF/DMARC/MX signals for newsletter sends, and cookie hints when responses carry Set-Cookie. It does not log into Ghost Admin or read your members table. Results in under 30 seconds.
This page is written for people searching for Ghost CMS security check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, self-hosted Ghost behind default nginx
HTTPS works, but Ghost-CLI's default nginx block doesn't add browser headers. Most fixes are one nginx reload away.
Strict-Transport-Security missing
Self-hosted Ghost rarely sets HSTS at the nginx layer by default. Add it once and HTTP downgrade risk goes away after the first visit.
Content-Security-Policy absent
Members and Stripe checkout flows make CSP rollout slightly more involved, but report-only mode catches the integrations cleanly.
Referrer-Policy not set
Browsers may include the full URL in outbound referers; newsletter UTM links and shared post URLs leak more context than needed.
Example B, Ghost(Pro) or Ghost behind Cloudflare
TLS and the headers your CDN ships look consistent. Email DNS for the newsletter sender is where most points still drop.
DMARC policy not at enforcement
Newsletter mail goes out under your domain; staying on p=none means spoofed mail using your brand still reaches inboxes.
Permissions-Policy missing
A short Permissions-Policy denying camera/microphone/geolocation tightens the contract for embeds in posts.
Add the security header baseline at nginx or Cloudflare
Ghost-CLI's default nginx block includes no browser headers. Add HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy to the same nginx server block Ghost-CLI generates, or set them in a Cloudflare Transform Rule if you proxy through Cloudflare.
Plan CSP around Ghost Portal and Stripe
Ghost's members portal and checkout call into stripe.com and your portal subdomain. Run CSP in report-only mode first so you catch every domain that needs an entry in script-src and connect-src before enforcing.
Configure SPF, DKIM, and DMARC for your newsletter sender
Ghost newsletters typically send via Mailgun or another ESP. Publish SPF and DKIM for the configured sender and a DMARC record that progresses past p=none. Missing DMARC lets anyone spoof your publication in email.
Front Ghost with Cloudflare if you prefer managed headers
If you don't want to maintain nginx config manually, putting Ghost behind Cloudflare lets you set the entire header baseline through Cloudflare's dashboard and rules, no server reload required.
Re-scan after each deploy, nginx reload, or DNS change
Ghost upgrades, theme changes, and Mailgun config swaps all shift what we observe. A fresh paste of the same URL catches regressions early.
For weights and penalties behind each category, see How Scorifya works.
Ghost's core is actively maintained and receives security patches. However, a self-hosted Ghost install running behind the default Ghost-CLI nginx configuration ships no browser security headers, HSTS, CSP, X-Frame-Options, and Referrer-Policy are all absent until you add them manually at the nginx or CDN layer. Ghost(Pro) is more managed, but custom domain security headers still depend on your configuration. A Ghost site can be made secure, but it requires steps beyond the default install.
Not in its default configuration. Ghost-CLI's nginx block handles routing and TLS termination but does not add a Strict-Transport-Security header. To enable HSTS, add the header to your nginx server block or configure it at a CDN like Cloudflare. Without it, browsers cannot enforce HTTPS-only connections on return visits.
Yes, but Ghost's Portal, Stripe integration, and comment systems load scripts from multiple external origins, which makes CSP more involved than a basic site. The recommended approach is to start with report-only mode, watch the violation reports to identify every allowed source, then enforce. Add the header at nginx or Cloudflare, not from Ghost Admin, which doesn't expose header controls.
The most common findings for self-hosted Ghost are: missing HSTS at the nginx layer, no Content-Security-Policy, absent Referrer-Policy, and incomplete SPF/DMARC for the newsletter sending domain. Ghost(Pro) sites typically score better on headers but may still have email DNS gaps. These are all fixable at the nginx or CDN layer without touching Ghost core.
No. Scorifya only requests the public URL you paste and follows redirects. It cannot access /ghost, members APIs, or your content database.
Ghost(Pro) handles the platform headers; the variables you control are your custom domain config, your DMARC/SPF for the newsletter sender, and any Cloudflare layer you put in front. Scorifya scores all of that.
members.example.com and example.com are separate hostnames with their own certs and headers. Scan both if you want full coverage.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.