Security Header and HSTS Monitoring Guide
Monitor HSTS, CSP, frame protection, MIME sniffing, referrer, permissions, TLS, and certificate posture without treating headers as a vulnerability scan.
Security-header monitoring records the effective headers returned by a site and alerts when they disappear or become weaker. Pair it with TLS protocol and certificate checks. This is configuration-posture monitoring—not a replacement for application security testing or a full cipher and vulnerability assessment.
Headers worth tracking
Strict-Transport-Security(HSTS) tells supporting browsers to use HTTPS for future requests. Trackmax-age,includeSubDomains, andpreloadseparately.Content-Security-Policylimits where page resources may load from. Presence alone is not enough: wildcards,unsafe-inline, andunsafe-evalcan weaken important directives.- CSP
frame-ancestorsorX-Frame-Optionsreduces clickjacking exposure. X-Content-Type-Options: nosniffprevents MIME-type sniffing in relevant contexts.Referrer-Policycontrols referrer data disclosure.Permissions-Policylimits browser features.- Cross-origin opener, embedder, and resource policies can provide isolation where the application supports them.
Example HSTS policy:
Strict-Transport-Security: max-age=31536000; includeSubDomains
Deploy HSTS only after confirming HTTPS works for every covered subdomain. max-age=0 removes the cached policy, and reducing a long duration to a short one weakens protection. Preload is a separate operational commitment; do not add the token without understanding browser preload-list requirements and removal delays.
Monitor the effective response
Check the canonical HTTPS URL and account for redirects. A header configured at the application may be overwritten or removed by a reverse proxy, CDN, WAF, or error-page path. Record the final checked URL, negotiated TLS version, certificate validity and expiry, and effective response header values.
Treat certificate expiry and deprecated TLS as distinct findings. Missing hardening headers are generally warnings whose severity depends on application context. Confirm CDN-edge variance before raising an incident.
References
- HSTS (RFC 6797)
- Content Security Policy Level 3
- Referrer Policy
- Permissions Policy
- TLS 1.0 and 1.1 deprecation (RFC 8996)
Run the free AuthDrift checker below to inspect both email authentication and the current web-posture response.
Check a domain for free
Audit email authentication, TLS, HSTS, and security headers. No signup required.
Checking the domain's records…