Loading…
Loading…
HubSpot CMS sites
HubSpot CMS handles hosting and TLS for you, which removes a lot of risk, but two things still depend on how the site and domain are set up: the browser security headers, where the platform's controls are limited, and email authentication for the domain HubSpot sends marketing and sales email from. A polished HubSpot page can still trail on the headers browsers enforce and on SPF or DMARC coverage.
Paste your production hostname, custom domain or HubSpot-hosted, and Scorifya checks HTTPS and TLS, security headers, passive SPF, DMARC and MX signals, cookie attributes, and exposure cues. No portal access is needed. Results in under 30 seconds.
This page is written for people searching for HubSpot security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: managed hosting, headers and mail DNS unfinished
TLS is handled well by the platform, but the security-header baseline is thin and email authentication on the sending domain is incomplete.
Strict-Transport-Security absent
HTTPS works, but no HSTS header is sent, so a first-visit downgrade window stays open. Header controls on HubSpot CMS are limited compared with a self-hosted stack.
Mixed email authentication
Marketing and sales email goes out before SPF and DMARC fully cover the sending domain. Passive DNS highlights the mismatch.
Content-Security-Policy missing
Marketing pages load tracking and embed scripts from several origins. A CSP is harder to set on a managed platform, but its absence is still worth flagging.
Example B: domain and mail DNS finished
TLS, available headers, and email authentication line up. The remaining points are header controls the platform does not fully expose.
Permissions-Policy not set
A short header denying camera, microphone, and geolocation tightens the browser-feature contract where the platform allows it.
DMARC at p=none
Email is monitored but not enforced. Move to quarantine once your legitimate senders align.
Finish SPF and DMARC for the domain HubSpot sends from
HubSpot is built around email, so the highest-value fix is usually mail authentication. Publish the SPF includes HubSpot asks for and a DMARC record on the sending domain, then tighten DMARC from monitor to enforce once your senders align. A missing DMARC record lets anyone spoof your domain.
Add the security headers the platform allows
HubSpot CMS exposes some response controls but not the full header baseline. Set what you can, and if the domain is fronted by a CDN or proxy you control, add HSTS and the rest there so every response carries them.
Scan your custom domain, not the hubspotpagebuilder preview
TLS, DNS, and any proxy headers live on your production custom domain. A preview or default HubSpot subdomain reflects platform defaults, not your domain's real configuration.
Keep an inventory of your tracking and embed scripts
Marketing sites accumulate analytics, chat, and embed scripts over time. Knowing exactly what loads makes a Content-Security-Policy possible and helps you spot anything unexpected on the page.
Re-scan after any DNS or domain change
Email DNS and domain settings take effect once they propagate. Run a new scan after editing SPF, DMARC, or domain configuration to confirm it landed.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
HubSpot's hosting platform is mature and handles TLS and infrastructure well, which removes a lot of risk compared with a self-hosted site. The areas that still depend on you are the browser security headers, where the platform's controls are limited, and email authentication (SPF and DMARC) for the domain HubSpot sends from. A well-configured HubSpot site can score highly once those are handled.
The usual findings are: a missing or thin security-header baseline (no HSTS, no CSP), incomplete SPF or DMARC on the sending domain, and a Permissions-Policy that is not set. TLS and infrastructure are typically solid because the platform manages them, so the score gaps are mostly headers and email DNS.
HubSpot CMS does not expose the full set of response-header controls a self-hosted stack would. You can set what the platform allows, and if your domain is fronted by a CDN or reverse proxy you control, you can add HSTS and a CSP there. Otherwise, header coverage is limited to what HubSpot provides.
Paste your public URL above. Scorifya passively checks TLS, security headers, passive email DNS (SPF, DMARC, MX), cookie attributes, and exposure cues, then returns a 0 to 100 score with the specific fixes. It does not log into your HubSpot portal; it reports what a browser and public DNS reveal.
No. Only the public URL is requested. Anything behind the HubSpot login stays invisible to these passive checks, so it is safe to run on a live site.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.