What we check
What HasafSec WebGuard checks
WebGuard reviews the externally visible security signals on a public website: how it presents TLS, which protective headers it sends, how its DNS and email authentication are configured, and whether templated checks surface known, observable issues. Everything here is read-only and limited to the domains you verify.
Transport security
TLS & certificates
WebGuard inspects the certificate served on your public endpoints and how the TLS connection is presented to a visitor's browser.
- Certificate validity and the renewal window before expiry
- Hostname and chain presentation as a browser would see it
- Whether secure delivery is consistently available on the domain you submit
Why it matters: A lapsed or misconfigured certificate interrupts secure access and triggers browser trust warnings, one of the fastest ways a public site loses customer confidence.
Browser-side controls
HTTP security headers
Response headers tell the browser how to constrain framing, scripting, and transport. WebGuard reports which protective headers are present, missing, or weak.
- Transport and framing headers such as HSTS and X-Frame-Options
- Content and scripting controls such as Content-Security-Policy
- Supporting headers like X-Content-Type-Options and Referrer-Policy
Why it matters: Missing headers quietly remove protections the browser could otherwise enforce against clickjacking and script abuse. See the deeper walkthrough in our security headers guide.
Domain & email trust
DNS & email authentication
WebGuard reviews the DNS records that anchor domain and email trust, surfacing stale or misconfigured entries.
- Email authentication records: SPF, DKIM, and DMARC
- Mail routing and certificate-authority authorization: MX and CAA
- Records that point at retired infrastructure or weaken sender trust
Why it matters: Weak SPF, DKIM, or DMARC configuration makes it easier to spoof your domain in email, and stale records leave old dependencies exposed.
Known-issue signatures
Templated vulnerability checks
On top of configuration hygiene, WebGuard runs templated checks for well-known, externally observable issues against the assets you've verified.
- Signature-style checks for common, publicly visible exposures
- Read-only probing, with no exploitation and no intrusive payloads
- Findings tied back to the verified asset and retained in your workspace
Why it matters: Templated checks catch recognizable issues early, before they show up in an incident or a customer security questionnaire.
Where the scope intentionally stops
WebGuard is exposure management for the public assets you own and verify, not broad attack-surface discovery. Being explicit about the edges keeps results honest and keeps assessments authorized.
- Discovery of unknown or shadow assets: WebGuard reviews the domains you verify, not your whole attack surface.
- Authenticated, internal, or network-internal scanning behind a login or VPN.
- Exploitation, intrusive payloads, or anything beyond read-only external observation.
See it on your own domain
Start with a read-only exposure review of a public domain. To keep the record, track changes over time, and run recurring checks, verify ownership and move into a workspace.