What HasafSec WebGuard checks

WebGuard reviews the externally visible security signals on a public website: how it presents TLS, which protective headers it sends, how its DNS and email authentication are configured, and whether templated checks surface known, observable issues. Everything here is read-only and limited to the domains you verify.

Transport security

TLS & certificates

WebGuard inspects the certificate served on your public endpoints and how the TLS connection is presented to a visitor's browser.

  • Certificate validity and the renewal window before expiry
  • Hostname and chain presentation as a browser would see it
  • Whether secure delivery is consistently available on the domain you submit

Why it matters: A lapsed or misconfigured certificate interrupts secure access and triggers browser trust warnings, one of the fastest ways a public site loses customer confidence.

Browser-side controls

HTTP security headers

Response headers tell the browser how to constrain framing, scripting, and transport. WebGuard reports which protective headers are present, missing, or weak.

  • Transport and framing headers such as HSTS and X-Frame-Options
  • Content and scripting controls such as Content-Security-Policy
  • Supporting headers like X-Content-Type-Options and Referrer-Policy

Why it matters: Missing headers quietly remove protections the browser could otherwise enforce against clickjacking and script abuse. See the deeper walkthrough in our security headers guide.

Domain & email trust

DNS & email authentication

WebGuard reviews the DNS records that anchor domain and email trust, surfacing stale or misconfigured entries.

  • Email authentication records: SPF, DKIM, and DMARC
  • Mail routing and certificate-authority authorization: MX and CAA
  • Records that point at retired infrastructure or weaken sender trust

Why it matters: Weak SPF, DKIM, or DMARC configuration makes it easier to spoof your domain in email, and stale records leave old dependencies exposed.

Explainers:SPFDKIMDMARCCAA

Known-issue signatures

Templated vulnerability checks

On top of configuration hygiene, WebGuard runs templated checks for well-known, externally observable issues against the assets you've verified.

  • Signature-style checks for common, publicly visible exposures
  • Read-only probing, with no exploitation and no intrusive payloads
  • Findings tied back to the verified asset and retained in your workspace

Why it matters: Templated checks catch recognizable issues early, before they show up in an incident or a customer security questionnaire.

Where the scope intentionally stops

WebGuard is exposure management for the public assets you own and verify, not broad attack-surface discovery. Being explicit about the edges keeps results honest and keeps assessments authorized.

  • Discovery of unknown or shadow assets: WebGuard reviews the domains you verify, not your whole attack surface.
  • Authenticated, internal, or network-internal scanning behind a login or VPN.
  • Exploitation, intrusive payloads, or anything beyond read-only external observation.

See it on your own domain

Start with a read-only exposure review of a public domain. To keep the record, track changes over time, and run recurring checks, verify ownership and move into a workspace.