ruxox
Start
Start
Calculators

Website Security Scorecard

Check your website's security posture in under 3 minutes. Answer 20 questions about headers, access, backups, and software. Get a scored report.

Website Security Scorecard

Adjust the inputs — your estimate updates live.

Answer each question honestly for an accurate score. This is a self-assessment — no scan is performed.

HTTPS & Headers
Access Control
Software & Updates
Data & Backups

🔒 Runs entirely in your browser — your data never leaves this tab.

About this tool

How this estimate works

This scorecard assesses your website's security posture across four categories: HTTPS and security headers, access control, software currency, and data protection. It is a self-assessment — no scan is performed against your site. The score reflects how well you have implemented the baseline controls that defend against the most common web attacks (XSS, CSRF, credential stuffing, SQL injection, and ransomware via outdated software).

Why these controls matter

HTTPS and headers defend against man-in-the-middle attacks, clickjacking, and cross-site scripting. Access control prevents unauthorised access to admin panels, which is the attack vector in the majority of CMS compromises. Software updates close known CVEs — over 60% of breaches involve exploiting a known, patchable vulnerability. Backups and data hygiene limit the impact of a successful attack and determine whether ransomware results in data loss or a manageable incident.

What this scorecard does not cover

This is a baseline hygiene assessment, not a comprehensive security audit. It does not cover: penetration testing findings, application-layer vulnerabilities in custom code (IDOR, business logic flaws), supply chain risks, staff phishing susceptibility, or infrastructure-level configuration. For a comprehensive assessment, a professional penetration test or security audit is required.

A note on technical implementation: a live header scanner cannot be built into this static page due to browser CORS restrictions — cross-origin HTTP requests are blocked. The tool is structured as a self-assessment for this reason. ruxox can run a server-side technical audit as part of an engagement.

FAQ

Frequently asked questions

What is a CSP (Content-Security-Policy) header?
A Content-Security-Policy header is an HTTP response header that tells the browser which domains it is allowed to load resources (scripts, styles, images, fonts) from for your page. A strict CSP prevents cross-site scripting (XSS) attacks from injecting malicious scripts, even if an attacker manages to inject code into your HTML. It is one of the most powerful but also most complex security headers to configure correctly.
What is HSTS?
HSTS (HTTP Strict Transport Security) is an HTTP header that tells browsers to only connect to your domain over HTTPS — never HTTP — for a specified period (usually 1 year). Once a browser has seen the HSTS header, it will refuse to connect over HTTP even if the user types http:// or follows an HTTP link. This prevents SSL stripping attacks and protocol downgrade attacks.
Should I be worried if my score is below 65%?
Yes — a score below 65% means several high-impact security controls are missing. The most dangerous missing controls are HTTPS, 2FA on admin accounts, outdated software with known CVEs, and no backup testing. These are exploited frequently and by automated scanners that continuously probe the web for vulnerable sites. Prioritise these before adding new features.
Can ruxox fix the gaps identified in this scorecard?
Yes — ruxox provides security hardening engagements covering header configuration, access control review, dependency auditing, and backup setup. For more comprehensive needs, we scope penetration testing and ongoing monitoring. Use the contact form or email app@ruxox.com with your score breakdown for a free consultation.
Cybersecurity

Want a professional security review?

ruxox offers security header audits, access control review, and penetration test scoping for web products. Free consultation.