Security Headers
Know if your security headers are missing — before attackers do
Missing security headers leave your site exposed to clickjacking, MIME sniffing, and data leakage. Most teams never check. Sitewatch analyzes five critical headers on every scheduled check — no extra configuration and no scanning tools to manage.
- 5 security headers analyzed automatically on every check
- Security contributes 25% of your overall quality score
- Security grade visible on your public status page
Why it matters
Security headers are your first line of defense. Are yours set?
HSTS enforcement
Without Strict-Transport-Security, browsers can be tricked into loading your site over HTTP. Sitewatch checks that HSTS is present and correctly configured on every check.
Content Security Policy
CSP prevents XSS and injection attacks by controlling which resources browsers can load. Sitewatch detects both Content-Security-Policy and CSP-Report-Only headers.
Clickjacking protection
X-Frame-Options stops attackers from embedding your site in invisible iframes. A single missing header can expose your users to credential theft.
MIME sniffing prevention
X-Content-Type-Options stops browsers from guessing file types — a technique attackers exploit to execute malicious content disguised as harmless files.
25% of your quality score
Security headers contribute a full quarter of your overall quality score. Missing headers drag down your grade and signal risk to anyone viewing your status page.
Zero configuration
No agents to install. No scanning tools to configure. Sitewatch reads your response headers on every scheduled check and grades them automatically.
5
Security headers analyzed
25%
Quality score weight
Every check
Analysis frequency
Header analysis
Five headers. Every check. Fully automatic.
Transport and encryption
- Strict-Transport-Security (HSTS) — forces HTTPS connections and prevents protocol downgrade attacks
- Detects missing or misconfigured max-age directives
Content injection defense
- Content-Security-Policy — controls which scripts, styles, and resources browsers are allowed to load
- CSP-Report-Only — detects report-only mode as a transitional step toward full enforcement
Framing and embedding
- X-Frame-Options — prevents your pages from being embedded in iframes on malicious sites
- Protects users from clickjacking and UI redress attacks
Response integrity
- X-Content-Type-Options — blocks MIME type sniffing that can turn harmless files into executable code
- Referrer-Policy — controls how much URL information is leaked to third-party sites in the Referer header
How it works
From check to security grade in seconds
Scheduled check runs
Sitewatch sends a request to your page on its normal monitoring schedule. No separate security scan — header analysis is built into every check.
Response headers analyzed
The HTTP response headers are evaluated against five security checks: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Security score calculated
Each header contributes to your security score. The security score makes up 25% of your overall quality grade alongside availability, redirects, and asset health.
Grade displayed on status page
Your security grade is visible on your public status page. Missing headers are flagged so you know exactly what to fix and where.
FAQ
Frequently asked questions
Sitewatch reads the HTTP response headers from your site on every scheduled check and evaluates five security-critical headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. It is passive header analysis, not active vulnerability scanning.
No. Sitewatch does not perform active security scanning, penetration testing, or vulnerability assessment. It analyzes the security headers present in your HTTP responses — the same headers any browser sees when it loads your page. Think of it as a continuous audit of your header configuration.
Each of the five security headers is checked for presence and correct configuration. The combined security header score contributes 25% of your overall quality score. The other 75% comes from availability (25%), redirect health (25%), and asset health (25%), capped at 100.
Five headers: Strict-Transport-Security (HSTS), Content-Security-Policy (including CSP-Report-Only), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. These are the headers that browsers use to enforce transport security, prevent injection attacks, block clickjacking, stop MIME sniffing, and control referrer leakage.
Add the missing headers to your server or CDN configuration. Sitewatch shows you exactly which headers are missing. Most hosting platforms and CDNs let you add security headers in a few lines of configuration. The next scheduled check will pick up your changes automatically.
No. Security header analysis runs automatically on every check. There is nothing to enable, no agents to install, and no scanning schedule to set up. If you are monitoring a site with Sitewatch, you are already getting security header analysis.
Find your missing security headers before attackers do
Free plan. 1 site. No configuration required. No credit card.
Explore more
Related monitoring capabilities
Public Status Pages
Share your security grade and uptime with customers and stakeholders.
Uptime Monitoring
Know the moment your site goes down with instant alerts.
Website Monitoring
Go beyond ping checks — verify your pages actually work.
Integrations
Get alerts in Slack, PagerDuty, Opsgenie, and 3 more channels.