How DomainCare grades six HTTP security headers (CSP, HSTS, X-Frame-Options, and friends) A–F daily and alerts on grade drops.

Security headers check

The security headers check fetches your site's homepage once a day, inspects six standard response headers, and assigns a letter grade A–F. A grade drop or a new misconfiguration triggers an alert.

What it monitors

Strict-Transport-Security (HSTS) — forces clients to use HTTPS. Weighted heaviest in the grade. Misconfigured if max-age is below 180 days or includeSubDomains is missing.
Content-Security-Policy (CSP) — restricts which scripts, styles, and frames the browser will load. Weighted heaviest alongside HSTS. Misconfigured if it allows unsafe-inline or unsafe-eval.
X-Frame-Options — controls whether the page can be loaded inside a frame (clickjacking protection). Misconfigured if it uses the deprecated ALLOW-FROM directive.
X-Content-Type-Options — must be nosniff to prevent MIME-type sniffing.
Referrer-Policy — controls the Referer header on outbound links. Misconfigured if it uses unsafe-url.
Permissions-Policy — newer header that gates browser features (camera, geolocation, payment). Lightest weight; missing is informational.

How the grade is computed

Each header carries a weight. Full credit when present and correctly configured, half credit when present but misconfigured, zero when missing. Score is normalized to 0–100 then mapped:

A ≥ 90
B ≥ 80
C ≥ 70
D ≥ 60
F below 60

The check runs once every 24 hours — headers rarely change, so a tighter interval would just burn rate-limit budget on the upstream.

Alerts this check produces

Event	Tone	When it fires
`security_headers_grade_dropped`	Warning	The grade letter regressed from the previous run (e.g. A → B, B → D)
`security_header_misconfigured`	Warning	A specific header gained a new validation issue that wasn't present before

Severity classification

Security headers is an advisory check. A poor grade (C, D, or F) shows as Needs attention (amber) on your dashboard — it never counts toward the critical-failure total. This keeps your at-a-glance health score focused on outages and broken authentication while still surfacing header gaps you should address.

What to do when alerts fire

Open your edge config — most teams set headers via Nginx, Caddy, Cloudflare, Vercel, or a framework next.config.ts. Find where the response headers for the affected route are defined.
Add the missing header. A safe starting point:
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- Content-Security-Policy: default-src 'self' (then iterate)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Deploy and wait for the next check. The next run (within 24h) re-grades the response. Trigger a manual recheck from the per-domain page if you don't want to wait.
Iterate on CSP. A strict CSP often breaks first deploy because of inline scripts you didn't know about. Use the browser console + the Content-Security-Policy-Report-Only header to identify violations before enforcing.

SSL & TLS check — HSTS works in concert with a valid TLS cert
Alert reference

Security headers check

The security headers check fetches your site's homepage once a day, inspects six standard response headers, and assigns a letter grade A–F. A grade drop or a new misconfiguration triggers an alert.

What it monitors

Strict-Transport-Security (HSTS) — forces clients to use HTTPS. Weighted heaviest in the grade. Misconfigured if max-age is below 180 days or includeSubDomains is missing.
Content-Security-Policy (CSP) — restricts which scripts, styles, and frames the browser will load. Weighted heaviest alongside HSTS. Misconfigured if it allows unsafe-inline or unsafe-eval.
X-Frame-Options — controls whether the page can be loaded inside a frame (clickjacking protection). Misconfigured if it uses the deprecated ALLOW-FROM directive.
X-Content-Type-Options — must be nosniff to prevent MIME-type sniffing.
Referrer-Policy — controls the Referer header on outbound links. Misconfigured if it uses unsafe-url.
Permissions-Policy — newer header that gates browser features (camera, geolocation, payment). Lightest weight; missing is informational.

How the grade is computed

Each header carries a weight. Full credit when present and correctly configured, half credit when present but misconfigured, zero when missing. Score is normalized to 0–100 then mapped:

A ≥ 90
B ≥ 80
C ≥ 70
D ≥ 60
F below 60

The check runs once every 24 hours — headers rarely change, so a tighter interval would just burn rate-limit budget on the upstream.

Alerts this check produces

Event	Tone	When it fires
`security_headers_grade_dropped`	Warning	The grade letter regressed from the previous run (e.g. A → B, B → D)
`security_header_misconfigured`	Warning	A specific header gained a new validation issue that wasn't present before

Severity classification

What to do when alerts fire

Open your edge config — most teams set headers via Nginx, Caddy, Cloudflare, Vercel, or a framework next.config.ts. Find where the response headers for the affected route are defined.
Add the missing header. A safe starting point:
- Strict-Transport-Security: max-age=31536000; includeSubDomains
- Content-Security-Policy: default-src 'self' (then iterate)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Referrer-Policy: strict-origin-when-cross-origin
Deploy and wait for the next check. The next run (within 24h) re-grades the response. Trigger a manual recheck from the per-domain page if you don't want to wait.
Iterate on CSP. A strict CSP often breaks first deploy because of inline scripts you didn't know about. Use the browser console + the Content-Security-Policy-Report-Only header to identify violations before enforcing.

SSL & TLS check — HSTS works in concert with a valid TLS cert
Alert reference

Security headers check

Security headers check

What it monitors

How the grade is computed

Alerts this check produces

Severity classification

What to do when alerts fire

Related

Security headers check

Security headers check

What it monitors

How the grade is computed

Alerts this check produces

Severity classification

What to do when alerts fire

Related