[{"data":1,"prerenderedAt":231},["ShallowReactive",2],{"seo-features/security-exposure-monitoring":3},{"slug":4,"kind":5,"archetype":6,"cluster":7,"navGroup":8,"navLabel":9,"meta":10,"breadcrumbs":14,"hero":22,"sections":63},"features/security-exposure-monitoring","spoke","capability","features","monitoring","Exposure & Email Trust",{"title":11,"description":12,"canonicalPath":13},"Exposed Files & Email Spoofing Monitoring","Find publicly downloadable .env, .git, and backup files, forgotten staging sites, and a spoofable domain (SPF/DMARC/DKIM) — the exposures uptime monitors never check. Free scan.","/features/security-exposure-monitoring",[15,18,21],{"label":16,"href":17},"Home","/",{"label":19,"href":20},"Features","/features",{"label":9,"href":13},{"eyebrow":23,"headline":24,"intentStatement":25,"bullets":26,"primaryCta":39,"secondaryCta":42,"proofPanel":45},"Security & exposure","Your Site Returns 200 OK. Your .env File Is Public.","A 200 OK says nothing about whether your .env file is public or your domain can be spoofed. Sitewatch checks the exposures attackers look for first — publicly downloadable secrets, forgotten staging sites, and missing email authentication — and re-checks on a schedule once you turn the scan into monitoring, so a hole that opens after a deploy still gets caught.",[27,30,33,36],{"icon":28,"text":29},"heroicons:lock-open","Finds publicly downloadable .env, .git, and config backups",{"icon":31,"text":32},"heroicons:server-stack","Flags forgotten live staging sites serving your real app",{"icon":34,"text":35},"heroicons:envelope","Checks SPF, DMARC, and DKIM — tells you if your domain is spoofable",{"icon":37,"text":38},"heroicons:arrow-path","Monitoring re-checks every site — a hole that reopens after a deploy is caught",{"label":40,"href":41},"Scan my site free","#scan",{"label":43,"href":44},"Start continuous monitoring","https://app.getsitewatch.com",{"type":46,"reportTitle":47,"severity":48,"findings":49,"generatedAt":62},"report","Exposure scan · example result","incident",[50,53,55,57,59],{"label":51,"status":52},"GET /.env → 200 OK (downloadable)","fail",{"label":54,"status":52},"/.git/config exposed",{"label":56,"status":52},"DMARC record: not found",{"label":58,"status":52},"staging.yoursite.com is indexable",{"label":60,"status":61},"Secrets masked in your report","info","What a 200 OK hides",[64,70,91,113,141,163,170,194,225],{"id":65,"tocLabel":66,"type":67,"heading":68,"subheading":69},"scan","Scan your site","scan-embed","Scan your site for exposures — free","Enter a URL and we check for publicly downloadable files, indexable staging, and a spoofable domain. Results in under a minute, no signup. Any secret we find is masked in the report.",{"id":71,"tocLabel":72,"type":73,"eyebrow":74,"heading":75,"items":76},"exposures","What it finds","failure-modes-grid","The exposures uptime monitors miss","If we can find it, so can anyone.",[77,81,84,87],{"icon":28,"title":78,"description":79,"severity":80},"Exposed secrets & source code","A publicly downloadable .env, an exposed .git folder, a database or config backup, a stray .DS_Store — each one hands an attacker credentials or your source. Present-tense, not a theoretical risk: if the scan reached it, so can anyone.","critical",{"icon":31,"title":82,"description":83,"severity":80},"Forgotten live staging","A dev or staging subdomain serving your real app, indexable by Google. It can leak unreleased work, expose data behind weaker auth, and outrank production in search.",{"icon":34,"title":85,"description":86,"severity":80},"A spoofable domain","Missing SPF, a DMARC policy of p=none, or a DKIM key that vanished — any of these lets someone send phishing email as your domain today. We tell you which, and the exact record to publish.",{"icon":37,"title":88,"description":89,"severity":90},"A hole that reopens","A leak you fixed comes back after a deploy, or a protective DNS record gets dropped. Because we re-check on a schedule, the regression is caught the next time it happens — not months later.","moderate",{"id":92,"tocLabel":93,"type":94,"eyebrow":95,"heading":96,"bgVariant":97,"steps":98},"how-it-works","How it works","how-it-works-stepper","Free to find, paid to watch","Find it once, then never stop watching","muted",[99,104,109],{"number":100,"icon":101,"title":102,"description":103},"01","heroicons:magnifying-glass","Scan finds what's exposed now","The free scan reads only what's already publicly reachable — the same paths any visitor or search engine can request — and reports what it found, present-tense.",{"number":105,"icon":106,"title":107,"description":108},"02","heroicons:shield-check","Responsible by design","We check a fixed list of known paths. No fuzzing, no brute-forcing, no guessing — and any secret we surface is masked in the report.",{"number":110,"icon":37,"title":111,"description":112},"03","Monitoring catches the regression","Turn it into continuous monitoring and Sitewatch re-checks on a schedule and after every deploy — so a leak that comes back, or a DMARC record that gets dropped, is caught the next time it happens.",{"id":114,"tocLabel":115,"type":116,"eyebrow":117,"heading":118,"withoutLabel":119,"withLabel":120,"rows":121},"vs","Beyond uptime","comparison-table","Why uptime tools miss this","An exposed .env returns 200 like any other URL","Uptime monitors","Sitewatch",[122,126,130,133,137],{"label":123,"withoutValue":124,"withValue":125},"Exposed .env / .git / backups","Not checked — a 200 looks healthy","Detected, with the exact path",{"label":127,"withoutValue":128,"withValue":129},"Indexable live staging","Not checked","Flagged before it outranks production",{"label":131,"withoutValue":128,"withValue":132},"Email spoofability (SPF/DMARC/DKIM)","Checked, with the record to publish",{"label":134,"withoutValue":135,"withValue":136},"Continuous re-checking","Re-checks uptime, not exposures","Re-checks exposures on a schedule and after deploys",{"label":138,"withoutValue":139,"withValue":140},"Alerts when a hole reopens","No","Yes — drift detection with evidence",{"id":142,"tocLabel":143,"type":144,"eyebrow":145,"heading":146,"groups":147},"what-we-check","What we check","detection-list-grouped","Two layers, checked together","Exactly what Sitewatch inspects",[148,156],{"groupLabel":149,"icon":28,"items":150},"Exposed surface",[151,152,153,154,155],"Environment files — /.env and common variants holding secrets and API keys","Version control — exposed /.git internals that reconstruct your source","Backups — publicly reachable database and config backup files","Stray files — .DS_Store and other artifacts that map your directory structure","Live staging — dev/staging environments that are reachable and search-indexable",{"groupLabel":157,"icon":34,"items":158},"Email authentication (anti-spoofing)",[159,160,161,162],"SPF — present and valid, so receivers can verify who may send for you","DMARC — published and enforcing (not left at p=none, which protects nothing)","DKIM — signing key present, and flagged if it later disappears","The fix — the exact record to publish, in plain language, for each gap found",{"id":164,"tocLabel":165,"type":166,"eyebrow":167,"heading":168,"html":169},"guide","The detail","prose","Why this matters","Exposed files and email spoofing, explained","\n\u003Cp>\u003Cstrong>Most monitoring tells you a site is up. It can be up and still be leaking.\u003C/strong> A web server returns a \u003Ccode>200 OK\u003C/code> for a public \u003Ccode>/.env\u003C/code> file exactly as it does for your homepage — so an uptime monitor, which only reads the status code, has no idea anything is wrong. The file is there for anyone who requests the URL.\u003C/p>\n\n\u003Ch3>Exposed files and forgotten staging\u003C/h3>\n\u003Cp>The exposures attackers probe for first are mundane: an \u003Ccode>.env\u003C/code> file with database credentials and API keys, an exposed \u003Ccode>/.git\u003C/code> directory that lets someone reconstruct your source, a \u003Ccode>database.sql\u003C/code> backup left in the web root, or a staging subdomain that was never locked down and is now indexed by Google. None of these throw an error. Sitewatch checks a fixed allowlist of these known-risky paths on every scan, reports the ones that are publicly reachable, and masks any secret it surfaces. Pair it with \u003Ca href=\"/features/security-monitoring\">security header monitoring\u003C/a> and \u003Ca href=\"/features/ssl-certificate-monitoring\">SSL monitoring\u003C/a> for the full external-security picture.\u003C/p>\n\n\u003Ch3>Can someone send email as your domain?\u003C/h3>\n\u003Cp>If your domain has no SPF record, a DMARC policy set to \u003Ccode>p=none\u003C/code>, or a missing DKIM key, anyone can send phishing email that appears to come from you — and your clients' inboxes are the ones that receive it. Sitewatch reads all three records, tells you in plain language whether your domain is spoofable, and gives you the exact record to publish to close the gap. Because it re-checks continuously, it also catches the case that one-off checkers can't: a protective record that quietly disappears after a DNS change.\u003C/p>\n\n\u003Ch3>How this compares to security scanners and one-off checkers\u003C/h3>\n\u003Cp>Dedicated tools exist for parts of this. One-off web checkers like MXToolbox or Hardenize will tell you your SPF/DMARC status at a single moment, but they don't monitor it or alert you when it degrades. Enterprise scanners like Detectify do look for exposed \u003Ccode>.env\u003C/code> and \u003Ccode>.git\u003C/code> files — but at roughly ten times the price, point-in-time, with enterprise onboarding, and not built for an agency watching many client sites. Sitewatch's angle is the combination: continuous, alerting, affordable, and agency-shaped — the exposure and email-trust checks bundled into the same monitoring that watches whether your pages work. Run the \u003Ca href=\"/free-website-scan\">free scan\u003C/a> to see what's exposed right now.\u003C/p>\n",{"id":171,"tocLabel":172,"type":173,"heading":174,"items":175},"faq","FAQ","faq-accordion","Exposure & email trust FAQ",[176,179,182,185,188,191],{"question":177,"answer":178},"Can someone send email as my domain?","If your domain is missing an SPF record, has a DMARC policy of p=none, or has lost its DKIM key, then yes — someone can send phishing email that appears to come from your domain. Sitewatch checks all three records and tells you whether your domain is spoofable, plus the exact record to publish to stop it. Run the free scan to find out in under a minute.",{"question":180,"answer":181},"What is an exposed .env file and why is it dangerous?","A .env file holds environment variables — often database passwords, API keys, and secret tokens. It's meant to stay on the server, never served to the public. When it's left in the web root, anyone who requests yoursite.com/.env can download it and read your credentials. The server returns a normal 200 OK, so uptime monitors never flag it. Sitewatch checks for it directly.",{"question":183,"answer":184},"Is it safe to run the scan on my site?","Yes. The scan only requests paths that are already publicly reachable — the same things any visitor or search engine can request. It checks a fixed list of known-risky paths, never fuzzes or brute-forces, and masks any secret it finds in the report. It's a read-only external check with no impact on your site.",{"question":186,"answer":187},"How is this different from my uptime monitor?","An uptime monitor reads your server's status code. A public .env file, an exposed .git folder, and an indexable staging site all return 200 OK — so uptime monitoring reports them as healthy. Sitewatch checks the content and configuration behind the status code, which is the only way these exposures surface.",{"question":189,"answer":190},"How is this different from a security scanner like Detectify?","Enterprise scanners like Detectify do detect exposed .env and .git files, but they're priced for enterprise, run point-in-time, and aren't built around watching many client sites. Sitewatch bundles continuous, alerting exposure and email-trust checks into affordable, agency-shaped monitoring — so it's less a deep one-time pentest and more an always-on watch for the regressions that reopen after a deploy.",{"question":192,"answer":193},"What does the email check actually look at?","It reads your domain's SPF, DMARC, and DKIM DNS records. It flags a missing SPF record, a DMARC policy that isn't enforcing (p=none), and a missing or disappeared DKIM key. For each gap, it gives you the specific record to publish. With continuous monitoring, it also alerts you if one of those protective records is later removed.",{"id":195,"tocLabel":196,"type":197,"eyebrow":198,"heading":199,"links":200},"related","Related","related-links-grid","Explore more","Related monitoring",[201,206,210,215,220],{"label":202,"href":203,"description":204,"icon":205},"Free Website Scan","/free-website-scan","Run a full free scan — exposures, email trust, previews, and conversion paths.","heroicons:bolt",{"label":207,"href":208,"description":209,"icon":106},"Security Monitoring","/features/security-monitoring","Security headers and mixed-content checks on every page.",{"label":211,"href":212,"description":213,"icon":214},"SSL Certificate Monitoring","/features/ssl-certificate-monitoring","Catch an expiring cert or broken chain before visitors do.","heroicons:lock-closed",{"label":216,"href":217,"description":218,"icon":219},"DNS Monitoring","/features/dns-monitoring","Get alerted when MX, CNAME, or other DNS records change unexpectedly.","heroicons:globe-alt",{"label":221,"href":222,"description":223,"icon":224},"For Agencies","/for-agencies","Watch exposure and email trust across every client site.","heroicons:building-office-2",{"id":226,"tocLabel":227,"type":228,"heading":229,"subtext":230,"primaryLabel":40,"primaryHref":41},"cta","Get started","cta-strip","Find out what your site is exposing.","The free scan takes about 30 seconds and needs no account — run it on your own sites or a prospect's to see what's exposed. Turn it into continuous monitoring to catch the holes that reopen.",1782418052941]