Security Posture Monitoring
Catch missing headers, detect regressions, and find mixed content — automatically
SiteWatch monitors five critical security headers on every check, alerts you when a deployment removes a header that was previously present, and detects mixed content across every HTTPS page. No other agency monitoring tool does all three continuously. No configuration required.
- 5 security headers analyzed automatically on every check
- Regression alerts — know when a deploy strips a header that was previously present
- Mixed content detection — catch HTTP resources on HTTPS pages before visitors see "Not Secure"
Why it matters
Security headers are your first line of defense. Are yours set?
HSTS enforcement
Without Strict-Transport-Security, browsers can be tricked into loading your site over HTTP. Sitewatch checks that HSTS is present and correctly configured on every check.
Content Security Policy
CSP prevents XSS and injection attacks by controlling which resources browsers can load. Sitewatch detects both Content-Security-Policy and CSP-Report-Only headers.
Clickjacking protection
X-Frame-Options stops attackers from embedding your site in invisible iframes. A single missing header can expose your users to credential theft.
MIME sniffing prevention
X-Content-Type-Options stops browsers from guessing file types — a technique attackers exploit to execute malicious content disguised as harmless files.
25% of your quality score
Security headers contribute a full quarter of your overall quality score. Missing headers drag down your grade and signal risk to anyone viewing your status page.
Zero configuration
No agents to install. No scanning tools to configure. Sitewatch reads your response headers on every scheduled check and grades them automatically.
5
Security headers monitored
Every check
Regression detection frequency
9
Mixed content resource types scanned
Header analysis
Five headers. Every check. Fully automatic.
Transport and encryption
- Strict-Transport-Security (HSTS) — forces HTTPS connections and prevents protocol downgrade attacks
- Detects missing or misconfigured max-age directives
Content injection defense
- Content-Security-Policy — controls which scripts, styles, and resources browsers are allowed to load
- CSP-Report-Only — detects report-only mode as a transitional step toward full enforcement
Framing and embedding
- X-Frame-Options — prevents your pages from being embedded in iframes on malicious sites
- Protects users from clickjacking and UI redress attacks
Response integrity
- X-Content-Type-Options — blocks MIME type sniffing that can turn harmless files into executable code
- Referrer-Policy — controls how much URL information is leaked to third-party sites in the Referer header
How it works
From check to security grade in seconds
Scheduled check runs
Sitewatch sends a request to your page on its normal monitoring schedule. No separate security scan — header analysis is built into every check.
Response headers analyzed
The HTTP response headers are evaluated against five security checks: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
Security score calculated
Each header contributes to your security score. The security score makes up 25% of your overall quality grade alongside availability, redirects, and asset health.
Grade displayed on status page
Your security grade is visible on your public status page. Missing headers are flagged so you know exactly what to fix and where.
Security header regression
Know the moment a deployment strips a security header
Deployments break security headers silently
A new nginx config, a CDN change, a hosting migration — any of these can strip security headers that took effort to configure. It happens after nearly every major infrastructure change, and nobody notices until the next pentest.
Alerts within the hour
SiteWatch stores a snapshot of which security headers are present after every check. If a header disappears on the next check, a high-severity regression incident is created — typically within one check cycle.
"Previously seen at" — pinpoints the deploy
The regression incident includes which header was removed and when it was last seen. That timestamp aligns directly with your deployment timing — so you know exactly when the regression was introduced, without digging through logs.
No competitor monitors this
Security header regression tracking is unique to SiteWatch. No other agency monitoring tool checks whether headers that were previously present have since disappeared. This is the difference between a one-off audit and continuous protection.
Complete security coverage
SiteWatch monitors every layer of your site's security posture
SSL certificate monitoring
SiteWatch monitors every SSL certificate continuously — 30-day expiry warning, full certificate chain validation, and TLS protocol and cipher checks. A cert can be technically valid while the chain is broken. SiteWatch catches both.
Domain expiry monitoring
Domain registration expiry tracked automatically via RDAP for every monitored site. 30-day early warning before a client domain lapses — no WHOIS tools, no calendar reminders, no API keys required.
TLS configuration checks
Deprecated TLS 1.0 and TLS 1.1 protocols flagged automatically. Weak cipher suites — RC4, 3DES, NULL, export-grade — detected on every check. The configuration issues that show up in security audits but are invisible to uptime tools.
Mixed content detection
SiteWatch scans every HTTPS page for HTTP resources — scripts, images, stylesheets, iframes, and more. Active mixed content (scripts, iframes) is flagged critical. Passive mixed content (images, stylesheets) is flagged high. Included on all plans.
FAQ
Frequently asked questions
SiteWatch reads the HTTP response headers from your site on every scheduled check and evaluates five security-critical headers: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. It is passive header analysis, not active vulnerability scanning.
After every check, SiteWatch stores a snapshot of which security headers are present. If a header that was detected on a previous check disappears on a subsequent check, SiteWatch creates a high-severity regression incident. The incident shows which header was removed and when it was last seen — so you can correlate it directly with a deployment. No other monitoring tool does this.
Security headers are typically configured in your web server, CDN, or reverse proxy — not in your application code. Any infrastructure change (new nginx config, CDN migration, hosting switch) can silently reset these configurations. The headers vanish, but your site keeps responding 200 OK. SiteWatch catches the regression on the next check cycle.
No. SiteWatch does not perform active security scanning, penetration testing, or vulnerability assessment. It analyzes the security headers present in your HTTP responses and monitors for mixed content in page resources — the same signals any browser sees when it loads your page. Think of it as continuous security posture monitoring, not a security audit tool.
Each of the five security headers is checked for presence and correct configuration. The combined security header score contributes 25% of your overall quality score. The other 75% comes from availability (25%), redirect health (25%), and asset health (25%), capped at 100.
Five headers: Strict-Transport-Security (HSTS), Content-Security-Policy (including CSP-Report-Only), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. These are the headers that browsers use to enforce transport security, prevent injection attacks, block clickjacking, stop MIME sniffing, and control referrer leakage.
No. Security header analysis, regression detection, and mixed content monitoring all run automatically on every check. There is nothing to enable, no agents to install, and no scanning schedule to set up.
Monitor your security posture — headers, regressions, and mixed content
Free plan. 1 site. No configuration required. No credit card.
Explore more
Related monitoring capabilities
Mixed Content Monitoring
Detect HTTP resources on HTTPS pages — the silent cause of "Not Secure" warnings.
SSL Certificate Monitoring
Continuous SSL expiry tracking, chain validation, and TLS cipher checks.
Domain Expiry Monitoring
Domain registration expiry tracked automatically — 30-day early warning.
Public Status Pages
Share your security grade and uptime with customers and stakeholders.