Security checks
Security checks, explained in plain language
Each explainer covers one external security signal WebGuard reviews on a public website: what it is, why it matters, and how it is checked. Everything here is read-only and limited to domains you verify. For the high-level overview, see what we check.
TLS & certificates
TLS Certificate Expiry & Validity
Why an expiring or invalid TLS certificate breaks trust in your site, and how WebGuard tracks the renewal window before it lapses.
HTTPS Enforcement (no plain-HTTP delivery)
Why a public site still reachable over plain HTTP exposes visitors before HSTS can help, and how WebGuard flags it.
Legacy TLS Protocols & Weak Ciphers
Why still accepting old TLS versions or weak ciphers undermines your encryption, and how WebGuard reports them.
HTTP security headers
HTTP Strict Transport Security (HSTS)
What the Strict-Transport-Security header does, why a missing HSTS policy leaves visitors exposed to downgrade attacks, and how WebGuard reports it.
Content-Security-Policy (CSP)
Why a Content-Security-Policy is the strongest browser-side defense against cross-site scripting, and how WebGuard flags a missing or weak one.
X-Frame-Options & Clickjacking Protection
How the X-Frame-Options header (and CSP frame-ancestors) stops other sites from framing your pages, and how WebGuard checks for clickjacking protection.
X-Content-Type-Options (nosniff)
What X-Content-Type-Options: nosniff prevents, and how WebGuard flags a missing or invalid value.
Referrer-Policy
How Referrer-Policy limits the URL data leaked when visitors click away, and how WebGuard flags a missing policy.
Permissions-Policy
How Permissions-Policy restricts which browser features your pages can use, and how WebGuard flags a missing policy.
Server Banner & Technology Disclosure
Why Server and X-Powered-By headers that reveal software versions hand attackers a head start, and how WebGuard flags them.
DNS & email authentication
SPF (Sender Policy Framework)
What an SPF record does, why a missing or weak policy makes your domain easy to spoof in email, and how WebGuard reviews it.
DKIM (DomainKeys Identified Mail)
What DKIM signing does, why it lets recipients verify your email wasn't tampered with, and how WebGuard reviews your published key.
DMARC (Domain-based Message Authentication)
What a DMARC policy does, why `p=none` leaves your domain unprotected from spoofing, and how WebGuard reviews your record.
CAA (Certificate Authority Authorization)
What a CAA record does, why it limits who can issue certificates for your domain, and how WebGuard reviews it.