Loading…
Loading…
Shopify stores
Shopify manages checkout security and PCI compliance on its hosted infrastructure, but browser headers on your custom storefront domain are not set by Shopify by default. HSTS, CSP, and X-Frame-Options must be added at a CDN or reverse proxy in front of your custom domain, or shoppers' browsers never receive them.
Paste the storefront URL shoppers actually load, custom domain or myshopify hostname. Scorifya checks TLS/HTTPS behavior, security headers (HSTS, CSP, X-Frame-Options, and more), passive SPF/DMARC/MX signals for your domain, and cookie attributes when visible. No Shopify Admin access needed. Results in under 30 seconds.
This page is written for people searching for Shopify security check, same tool as the homepage, with context for that query.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Illustrative snapshots of what a report can look like. Paste your URL above for a live score on your site.
Example A, storefront URL after new apps or theme edits
HTTPS looks healthy, but layered apps or proxies sometimes strip headers or weaken cookie attributes visible on HTML responses.
Cookie SameSite / Secure signals weak
Cart and analytics integrations rely on cookies, flags should match how embedded widgets and checkout flows behave.
Anti-framing directive missing
Without frame-ancestors or equivalent protections, storefront pages may be embeddable in ways that enable clickjacking-style UI tricks.
Email authentication gaps on marketing domain
SPF alone is common; DMARC at enforcement reduces spoofed messages that impersonate your brand when you send from the same domain.
Example B, stronger header baseline on the same origin
TLS, redirects, and browser-side headers line up for typical shopping traffic; remaining notes are usually email DNS polish or niche subdomains.
CSP could tighten third-party script allowances
A policy exists but still whitelists broad hosts. Iterate as you retire legacy marketing pixels.
Optional HSTS preload eligibility
Preload is a commitment that every subdomain serves HTTPS-only; many stores skip it until DNS and assets are fully consistent.
Add HSTS via a CDN in front of your custom domain
Shopify does not send Strict-Transport-Security on custom domains by default. Route traffic through Cloudflare or another CDN and inject the header there. A one-year max-age with includeSubDomains is a solid starting point.
Inventory your apps before writing a CSP
Shopify stores typically load scripts from Shopify's CDN, Google Fonts, analytics tools, and any apps you've installed. List every source first, then write a CSP at your proxy layer to allow exactly those origins.
Set up SPF and DMARC before you send any marketing email
If your Shopify domain also sends transactional or marketing email, publish SPF and DMARC records. A missing DMARC record lets anyone spoof your domain, especially risky for a brand shoppers trust.
Scan your custom domain, not the myshopify.com hostname
TLS certificates, DNS records, and any proxy headers only exist on your production custom domain. Preview subdomains reflect Shopify's defaults, not your edge configuration.
Re-scan after every app install or CDN change
Shopify apps can inject middleware that modifies headers. Run a new scan after any app install, CDN rule update, or DNS change to confirm nothing regressed.
For weights and penalties behind each category, see How Scorifya works.
Shopify's hosted checkout and payment infrastructure are highly secure and PCI-compliant. However, browser security headers your custom storefront domain serves, such as HSTS, CSP, and X-Frame-Options, are not managed by Shopify by default. These must be added at a CDN or reverse proxy in front of your custom domain. A Shopify store can be made secure, but it requires configuration beyond what the platform provides out of the box.
Not natively on custom domains. Shopify serves HTTPS but does not send a Strict-Transport-Security header on your storefront by default. To add HSTS you need to front your custom domain with a CDN such as Cloudflare and inject the header there. Without it, browsers cannot enforce HTTPS-only connections on return visits.
Shopify does not expose a way to set arbitrary response headers from the admin. The most reliable approach is to proxy the store through a CDN that adds the CSP header. Note that Shopify apps and themes load third-party scripts, so your policy needs to allow those sources.
The most common findings are: missing HSTS on the custom domain, no Content-Security-Policy, absent X-Frame-Options (clickjacking risk), incomplete SPF/DMARC for the marketing sender domain, and weak cookie attributes on analytics or cart cookies. These are edge-layer gaps, not Shopify platform vulnerabilities. They're fixable with a CDN in front of the store.
No. Scorifya reads only the public storefront response for the URL you enter. Admin policies remain outside this passive view.
No. Checkout assurance follows its own programs. This scan reflects TLS, headers, DNS/email hints, and hygiene on the pasted storefront URL.
Scan whichever hostname shoppers actually load. TLS certificates, redirects, and DNS records differ between labels even when content mirrors.
More detail on limits and billing: FAQ.
TLS, HTTPS & redirects
Valid certificates, modern TLS, and clean HTTP→HTTPS upgrades. We also probe whether legacy TLS 1.0/1.1 are still accepted.
Security headers
CSP, HSTS, and related headers reduce common browser-side attack surfaces and clickjacking risk.
DNS & email (passive)
SPF, DMARC, a few DKIM selectors, MX, and whether common subdomains resolve publicly, without port scanning.
Hygiene signals
Verbose server banners and risky defaults can raise your attack surface and erode trust.
Not a vulnerability scan
Scorifya checks public configuration signals; it does not attempt exploitation, port scans, or authenticated crawling.
If you're iterating on config or deploying changes, you'll likely run multiple checks as you tighten things up. When you're ready, Scorifya Pro removes scan limits and unlocks JSON/CSV/PDF exports.