Loading…
Loading…
nginx & reverse proxies
Many teams add security headers to nginx.conf and assume they're delivering, but config drifts across server blocks, cached includes, and upstream CDNs. A header you added to one location block may never appear on the HTML response your users actually fetch. Without a live check, it's easy to believe HSTS or CSP is shipping while visitors still see an older edge response.
Paste the public URL your users load, the hostname nginx or your front proxy answers for. Scorifya fetches what browsers receive: TLS and redirect behavior, security headers on the final response, passive DNS/email signals, cookie hints when present, and hygiene. Use it after editing header directives, reloading nginx, swapping upstream proxy routes, or when a CDN sits in front. Results in under 30 seconds.
This page is written for people searching for nginx security headers check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A: TLS OK, headers weaker than expected
Certificates validate while CSP or framing never appeared on the HTML response nginx serves, often headers omitted on the active server block.
Content-Security-Policy absent
No CSP header on the fetched response. Confirm whether policy should originate from nginx, an upstream app, or a CDN layer.
Anti-framing not detected
Neither CSP frame-ancestors nor a framing header appeared, common miss when only static assets had legacy snippets.
Example B, headers aligned after nginx reload
HSTS and baseline protections show up consistently; remaining work is tightening CSP allowances or finishing mail DNS.
CSP still permissive on script-src
Policy exists. Iterate as you retire unused third-party origins.
DMARC monitoring-only
Mail DNS progresses toward enforcement. Scorifya notes when receivers still see policy 'none'.
Confirm which layer emits headers
If nginx proxies to an app or CDN, duplicates or overrides happen. Pick one authoritative layer for CSP and HSTS unless you intentionally split duties. The scanner tells you what actually reaches browsers, regardless of what your config file says.
Use the 'always' flag for error responses
Headers dropped on 4xx/5xx paths skew what Scorifya sees intermittently. Configure nginx so important headers apply on every response status: add_header Strict-Transport-Security '...' always;
Stage CSP in report-only first
Ship Content-Security-Policy-Report-Only, watch violations for a week or two, then enforce. A live scan in report-only mode confirms the header reaches browsers before you lock down script-src.
Reload and rescan after every config change
After nginx -t && nginx -s reload, paste the same public URL into Scorifya. CDN caches and upstream proxies can lag behind your file edit. The live check tells you what browsers see right now.
Validate HTTP→HTTPS redirects at the listener you own
Separate server blocks for port 80 vs 443 often diverge, permanent redirects should match the hostnames visitors actually type. Scorifya checks both the redirect chain and the final HTTPS response headers.
For weights and penalties behind each category, see How Scorifya works.
The baseline for most nginx-served sites: Strict-Transport-Security (HSTS) with a long max-age and includeSubDomains, Content-Security-Policy scoped to your actual script sources, X-Frame-Options or CSP frame-ancestors to block clickjacking, X-Content-Type-Options: nosniff, Referrer-Policy, and Permissions-Policy. Set them in the server block with the 'always' flag so they apply to error responses too.
Add this to the HTTPS server block: add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains' always; Start with a shorter max-age like 3600 while validating, then grow it. Only add preload after every subdomain reliably serves HTTPS. Removing a preload-registered domain takes months.
Use add_header Content-Security-Policy 'your-policy-here' always; in the server block. Start with Content-Security-Policy-Report-Only and a report-uri to collect violations before enforcing. Run Scorifya after adding the header to confirm it appears on your HTML response, headers in location blocks for static assets often don't propagate to the main HTML response.
The most common mistakes are: adding headers inside a location block that only matches static files (so the HTML response never gets them), forgetting the 'always' flag (so error responses drop headers), a CDN or upstream app overwriting or stripping headers nginx set, and testing against localhost rather than the public URL. Scorifya catches all of these by measuring the live response browsers actually receive.
No. We only request your public HTTPS URL and passive DNS contexts documented on How Scorifya works, never server filesystem access.
Scan the hostname browsers load. Headers may come from the CDN, nginx, or both. Results reflect the combined edge. If Cloudflare is in front, it may add or override nginx headers.
Only publicly reachable HTTPS URLs work, private RFC1918 hosts are out of scope.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.