guides

Security Header and HSTS Monitoring Guide

Monitor HSTS, CSP, frame protection, MIME sniffing, referrer, permissions, TLS, and certificate posture without treating headers as a vulnerability scan.

Security-header monitoring records the effective headers returned by a site and alerts when they disappear or become weaker. Pair it with TLS protocol and certificate checks. This is configuration-posture monitoring—not a replacement for application security testing or a full cipher and vulnerability assessment.

Headers worth tracking

  • Strict-Transport-Security (HSTS) tells supporting browsers to use HTTPS for future requests. Track max-age, includeSubDomains, and preload separately.
  • Content-Security-Policy limits where page resources may load from. Presence alone is not enough: wildcards, unsafe-inline, and unsafe-eval can weaken important directives.
  • CSP frame-ancestors or X-Frame-Options reduces clickjacking exposure.
  • X-Content-Type-Options: nosniff prevents MIME-type sniffing in relevant contexts.
  • Referrer-Policy controls referrer data disclosure.
  • Permissions-Policy limits browser features.
  • Cross-origin opener, embedder, and resource policies can provide isolation where the application supports them.

Example HSTS policy:

Strict-Transport-Security: max-age=31536000; includeSubDomains

Deploy HSTS only after confirming HTTPS works for every covered subdomain. max-age=0 removes the cached policy, and reducing a long duration to a short one weakens protection. Preload is a separate operational commitment; do not add the token without understanding browser preload-list requirements and removal delays.

Monitor the effective response

Check the canonical HTTPS URL and account for redirects. A header configured at the application may be overwritten or removed by a reverse proxy, CDN, WAF, or error-page path. Record the final checked URL, negotiated TLS version, certificate validity and expiry, and effective response header values.

Treat certificate expiry and deprecated TLS as distinct findings. Missing hardening headers are generally warnings whose severity depends on application context. Confirm CDN-edge variance before raising an incident.

References

Run the free AuthDrift checker below to inspect both email authentication and the current web-posture response.

Check a domain for free

Audit email authentication, TLS, HSTS, and security headers. No signup required.

Know your DKIM selector?
Checking the domain's records…