Loading…
Loading…
Free website security check
A free 0–100 score in seconds, in plain English — with what to fix first. No sign-up, no card.
Scan to reveal your score
Most websites aren’t as secure as they look. See where yours lands.
Trusted to score real sites
Scores sites like Stripe · GitHub · Shopify · Google · GitLab · Etsy · Cloudflare · Notion, and thousands more.
More than a scanner
Start with a free score, watch a site for free, then turn on always-on monitoring when you’re ready. No lock-in at any step.
Get a 0–100 security score for any site in seconds.
Don’t scan once — keep one site monitored, free.
Monitor every domain and catch problems early.
Bring your team into the same security view.
Six common website security risks, why each one matters, and how a Scorifya scan checks your site for them, backed by published research.
In plain terms: is your site served securely, can attackers impersonate your email, and is anything exposed that shouldn’t be? We grade six areas and roll them into one 0–100 score. The technical detail is below if you want it.
Certificate validity and expiry horizon, weak public-key sizes, cipher quality, TLS 1.0/1.1 acceptance, and HTTP→HTTPS redirect coverage.
HSTS (plus live preload-list verification), fine-grained CSP grading (unsafe-inline, unsafe-eval, wildcards, object-src, report-only), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and third-party script SRI coverage.
security.txt (RFC 9116), robots.txt analysis, verbose server banners, directory listings, sensitive path probes, origin-IP exposure behind CDN/WAF, and a passive tech-stack fingerprint.
Secure / HttpOnly / SameSite on session-like cookies when visible in response headers.
SPF, DMARC (with parent-domain heuristic), common DKIM selectors, MX, CAA, MTA-STS, TLS-RPT, BIMI, DNSSEC validation, Certificate Transparency log discovery, and subdomain-takeover detection — no port scan.
Installer and setup-config endpoint exposure, REST user enumeration (/wp-json/wp/v2/users), XML-RPC, and readme.html version disclosure.
Full methodology: How Scorifya works — published category weights, per-finding penalties, and the boundaries of a public scan.
Scorifya Pro · 7-day free trial
A scan tells you where you stand today. Pro keeps watching — so you hear about a dropped score, an expiring certificate, a spoofed sender, or a new blocklisting before your customers do.
Free · no signup
Ten focused tools. Most run the same engine as the full score, narrowed to one question. One adds a passive attack-surface map. Use them à la carte, or run the complete scan above.
Web hardening
Email & domain
All ten live at /tools.
Free · share it
Every scan comes with an embeddable badge that shows your live score and links back. Drop it on your site, docs, or README — good security markets itself.
Live badges
Real badges, updated each time the site is re-scanned.
One line to embed
<a href="https://www.scorifya.com/scan/yourdomain.com">
<img src="https://www.scorifya.com/badge/yourdomain.com.svg"
alt="Website security score" width="200" height="40" />
</a>Standalone checkers, deploy-ready hardening recipes, and the live KEV vulnerability feed.
How we differ from deep TLS graders, browser-focused posture tools, and header-only checkers: read the comparison.
Jump straight to the most common security questions people Google, with the same scan tool embedded.
New scans, quick security tips, and a weekly leaderboard of real sites. Pick your platform.