Website Security Scorecard
Check your website's security posture in under 3 minutes. Answer 20 questions about headers, access, backups, and software. Get a scored report.
Website Security Scorecard
Adjust the inputs — your estimate updates live.
Answer each question honestly for an accurate score. This is a self-assessment — no scan is performed.
🔒 Runs entirely in your browser — your data never leaves this tab.
How this estimate works
This scorecard assesses your website's security posture across four categories: HTTPS and security headers, access control, software currency, and data protection. It is a self-assessment — no scan is performed against your site. The score reflects how well you have implemented the baseline controls that defend against the most common web attacks (XSS, CSRF, credential stuffing, SQL injection, and ransomware via outdated software).
Why these controls matter
HTTPS and headers defend against man-in-the-middle attacks, clickjacking, and cross-site scripting. Access control prevents unauthorised access to admin panels, which is the attack vector in the majority of CMS compromises. Software updates close known CVEs — over 60% of breaches involve exploiting a known, patchable vulnerability. Backups and data hygiene limit the impact of a successful attack and determine whether ransomware results in data loss or a manageable incident.
What this scorecard does not cover
This is a baseline hygiene assessment, not a comprehensive security audit. It does not cover: penetration testing findings, application-layer vulnerabilities in custom code (IDOR, business logic flaws), supply chain risks, staff phishing susceptibility, or infrastructure-level configuration. For a comprehensive assessment, a professional penetration test or security audit is required.
A note on technical implementation: a live header scanner cannot be built into this static page due to browser CORS restrictions — cross-origin HTTP requests are blocked. The tool is structured as a self-assessment for this reason. ruxox can run a server-side technical audit as part of an engagement.
Frequently asked questions
Want a professional security review?
ruxox offers security header audits, access control review, and penetration test scoping for web products. Free consultation.