Loading…
Loading…
PrestaShop stores
PrestaShop is self-hosted, so TLS, the response-header baseline, and server hardening are the merchant's job, not the platform's, and a store carries the extra stakes of payment and customer data. The recurring gaps are missing security headers (HSTS and a real CSP matter on checkout), modules and core that lag behind security releases, and exposed back-office or version cues. A store can be live and still score poorly on what browsers enforce.
Paste your storefront hostname and Scorifya checks HTTPS and TLS, security headers, passive SPF, DMARC and MX signals, cookie attributes, and exposure cues. It reads only the public URL, so no admin access is needed. Results in under 30 seconds.
This page is written for people searching for PrestaShop security check—same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like—paste your URL above for a live score on your site.
Example A: live store, headers never set
TLS is healthy and checkout works, but no Content-Security-Policy and a missing HSTS header leave the store weaker than its payment flow deserves.
Content-Security-Policy missing
On a store, a CSP is a frontline defense against injected card-skimming scripts. Scorifya flags its absence so you can stage a report-only policy on checkout first.
Strict-Transport-Security absent
HTTPS works, but without HSTS a first-visit downgrade window stays open on pages that carry payment data. Set the header at your web server or proxy.
Back-office or version detail exposed
A readable version file or a discoverable admin path gives an attacker a head start. Trim banners and protect the back-office URL.
Example B: patched and hardened storefront
Headers, TLS, and cookie flags match what a checkout should serve. The remaining points are in email authentication on the sending domain.
CSP allows broad script hosts
A policy is in place but whitelists large CDNs. Tighten it as you consolidate the modules and payment scripts the storefront loads.
DMARC at p=none
Order and marketing email is monitored but not enforced. Move to quarantine once your senders align.
Apply PrestaShop core and module security updates promptly
Most PrestaShop incidents start with a known flaw in old core or a vulnerable module. Track the security advisories, keep core current, and update or remove third-party modules you no longer use. Only install modules that are actively maintained.
Put a Content-Security-Policy on checkout first
A CSP is one of the strongest defenses against payment skimmers. Inventory every script your store loads (theme, modules, payment providers, analytics), then roll out a report-only policy on the checkout pages and promote it to enforcing once the reports are clean.
Add HSTS and the rest of the header baseline
A default install does not send HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, or Permissions-Policy. Set them in your web server (Apache or nginx) or a reverse proxy so every storefront response, especially checkout, carries them.
Rename and protect the back-office, harden permissions
PrestaShop lets you rename the admin folder to a hard-to-guess path; do it, and restrict access by IP where you can. Lock down file permissions and remove the install directory after setup so they cannot be reached from the web.
Publish SPF and DMARC for order and marketing email
Stores send a lot of transactional and marketing email, which makes them a spoofing target. Publish SPF and DMARC on the sending domain so order confirmations and receipts cannot be impersonated. Scorifya reads those records passively from public DNS.
For weights and penalties behind each category, see How Scorifya works.
Background explainers for what this tool checks.
PrestaShop has an active security process, and a current, well-configured store can be very secure. Because it is self-hosted, though, security depends heavily on the merchant: applying core and module updates on time, configuring TLS and security headers, protecting the back-office, and hardening the server. Stores that fall behind on updates are the ones that get hit.
The recurring findings are: out-of-date core or vulnerable modules, no Content-Security-Policy (a real risk for payment skimming), absent HSTS and other security headers, a back-office left on a guessable path, exposed version or install files, and incomplete SPF or DMARC on the sending domain. Most are configuration and maintenance gaps.
Not fully. PrestaShop serves HTTPS once TLS is configured and can force SSL, but the full browser security-header baseline (HSTS, CSP, X-Frame-Options, and the rest) is added at the web server or a reverse proxy. Those headers need to be enabled deliberately.
Paste your storefront URL above. Scorifya passively checks TLS, security headers, passive email DNS (SPF, DMARC, MX), cookie attributes, and exposure cues, then returns a 0 to 100 score with the specific fixes. It does not log into the back-office or run exploits; it reports what a browser and public DNS reveal, which is where most quick wins on a store live.
No. Only the public storefront URL is requested. Anything behind the back-office login or a customer account stays invisible to these passive checks, so it is safe to run against a live store.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly—without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.