Monitoring

How to Monitor Your Website Security Automatically

Daily automated monitoring catches security regressions the morning after they happen. This guide explains what is checked, how to set it up, and what to do when something changes.

SiteSecurityScore Team·8 min read·Mar 31, 2026
Server monitoring dashboard showing automated security checks and alerts

Setting up automated security monitoring takes less than a minute. The harder part is knowing what you are looking at once it is running. This guide walks through what is checked in each daily scan, how to interpret change alerts, and what to do when the email digest flags something unexpected.

Website Security Monitoring

This guide covers how monitoring works in practice. For an overview of the feature, pricing, and plans, see the Website Security Monitoring product page.

What monitoring covers#

Each daily scan covers six security categories. You can enable or disable each category independently when you add a site.

HTTP Security Headers

Checks whether each security header is present and returns the configuration. Headers monitored include Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, and Cross-Origin-Embedder-Policy.

TLS / HTTPS

Validates the certificate, checks days until expiry, confirms the protocol version (TLS 1.2, TLS 1.3), and checks whether forward secrecy is enabled. Alerts when expiry crosses the 30-day and 7-day thresholds.

Content Security Policy

Evaluates your CSP quality on a five-point scale: none, poor, fair, good, or excellent. A quality downgrade from "good" to "fair" is a meaningful regression. The numeric CSP score is also tracked for finer-grained trend data.

Cookie Security

Scans each cookie the server sets and checks for HttpOnly, Secure, and SameSite flags. Flags that were present yesterday and missing today indicate a security regression in your cookie handling code or configuration.

DNS Security

Checks SPF and DMARC records for email security, CAA records for certificate authority authorization, and DNSSEC for DNS response integrity. Any record that disappears is flagged as a removal.

Security.txt

Checks whether a security.txt file exists at /.well-known/security.txt. Presence confirms that your site has a defined vulnerability disclosure channel for security researchers.

Setting up monitoring#

Monitoring is available on Pro and Business plans. From the Monitoring section of your account dashboard, click "Add site" and enter your domain without the protocol prefix. For example, enter example.com not https://example.com.

The setup screen shows all six monitoring categories with toggles. HTTP headers, TLS, CSP, and cookies are enabled by default. DNS and security.txt are optional. Enable any categories you want to track. All attributes within each enabled category are monitored automatically.

Once saved, the site appears in your monitoring dashboard. The first automated scan runs the next day. After that first scan, you will have a baseline to compare against, and change detection begins with the second scan.

Tip

You can also add a site to monitoring directly from the scan results page. After running a scan on any domain, a "Monitor this site" button appears in the navigation panel on the left side of the results. This pre-fills the domain and takes you directly to the monitoring setup.

How daily scans work#

Scans run automatically on a daily basis. Each scan performs the same comprehensive check as a manual scan, evaluating the most important security attributes across your site. The result is stored as a snapshot that includes the full scan data, an overall score, and a list of detected changes compared to the previous snapshot.

Snapshots are retained for 90 days. The monitoring detail page shows a score trend chart over those 90 days, so you can see whether your security posture is improving, degrading, or holding steady over time.

If a scan fails because the site is unreachable or returns an unexpected error, the snapshot is recorded with an error status and a consecutive failure counter is incremented. After three consecutive failures, monitoring for that site is automatically paused. You will receive an email when this happens, and you can re-enable the site from your dashboard once it is accessible again.

Understanding change detection#

Change detection runs after every scan by comparing the current result against the previous snapshot. Each detected change has four fields: category, attribute, previous value, current value, and change type.

Change types and what they mean:

added

Something that was absent is now present. A missing security header is now set, or a DNS record that did not exist now exists. Usually good news unless it is unexpected.

removed

Something that was present is now missing. A security header was dropped by a deploy, or a DNS record was deleted. Almost always a regression that needs investigation.

changed

A value changed but the attribute itself is still present. For example, the TLS protocol version changed from TLS 1.2 to TLS 1.3, or the CSP score changed from 65 to 80. Could be improvement or regression depending on direction.

degraded

A value moved in a clearly negative direction. Used for expiry threshold crossings (certificate went from more than 30 days to fewer than 30 days remaining) and quality drops (CSP quality went from 'good' to 'fair').

Changes only fire for attributes within enabled categories. If DNS monitoring is disabled, changes to DNS records will not appear in your results.

Reading your email digest#

An email digest is sent to your account email address after every daily scan.

The email shows:

  • The current overall security score and grade
  • The score delta versus the previous day (e.g. +3 or -7)
  • A row per enabled category with a plain-text status summary
  • Categories where changes were detected, flagged with a "CHANGED" indicator
  • A direct link to the monitoring detail page for the full result

The email is always sent, not just when changes are detected. On a quiet day where nothing changed, the email is brief: current score, same as yesterday, all categories clear. On a day where a deploy dropped a header, the email shows the specific header that was removed along with the category it belongs to.

The monitoring dashboard#

The Monitoring section of your account dashboard lists all monitored sites. Each site card shows the current score, the date of the last scan, the time until the next scan, and a row of colored dots representing each enabled category.

The category dots use a simple color scheme: green for good, amber for warnings, red for issues. Hovering over a dot shows the category name. This gives you a quick visual overview of where issues exist without opening the detail view.

Clicking "Details" on any site card opens the monitoring detail page. This shows a score trend chart for the past 90 days, a breakdown of detected changes from the most recent scan, and the full category-level results with the same level of detail as a manual scan report.

What to do when changes are detected#

When the email digest flags a change, start by looking at what changed and when. The change type tells you the direction: removed means something is gone, degraded means something got worse, added means something new appeared.

For removed headers, correlate with your deploy history. If a header disappeared the same day as a deployment, that deployment is the likely cause. Check whether the deployment overwrote a server configuration file that contained your header settings.

For TLS expiry warnings at 30 days, check your certificate renewal automation. Most automated renewal tools (Let's Encrypt, Certbot, cloud provider managed certs) renew at 60 to 30 days before expiry. If the alert fires, the renewal may not have run. Check whether the renewal service is active and whether the renew command succeeded.

For DNS record removals, check your DNS provider's change history. Many DNS providers keep an audit log of record changes. Look for a deletion event on or around the date the change was detected.

For CSP quality drops, open the monitoring detail page and compare the current CSP value against what was present before the change. The previous value is stored in the snapshot data. A quality drop from "good" to "fair" often means a new inline script was added without a corresponding nonce or hash, or a script source was added using an overly broad wildcard.

Start monitoring your site

Available on Pro and Business plans. Add your first site from the Monitoring dashboard. No agents or webhooks required. View plans.

FAQ#

What does the daily security scan check?

Each daily scan covers six categories: HTTP security headers (presence and configuration of headers like Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and others), TLS certificate validity and expiry, Content Security Policy quality rating and score, cookie security flags (HttpOnly, Secure, SameSite), DNS security records (SPF, DMARC, CAA, DNSSEC), and security.txt file presence.

How does change detection work?

Change detection compares today's scan result against yesterday's result for every attribute within each enabled category. For HTTP headers, it checks whether any security header was added or removed. For TLS, it checks validity status, expiry threshold crossings, protocol version, and forward secrecy. For CSP, it checks quality rating and score changes. For DNS, it checks SPF, DMARC, CAA, and DNSSEC record presence. Each detected change is recorded with the category, attribute, previous value, current value, and change type.

Will I get an email even if nothing changed?

Yes. A daily digest is sent after every scan regardless of whether changes were detected. This gives you a daily confirmation that everything is as expected. On days with no changes, the email is brief. On days with changes, it includes details of what changed and in which direction.

Can I monitor multiple sites?

Pro plan users can monitor one site. Business plan users can monitor up to five sites. Each monitored site has its own configuration, its own daily scan, and its own email digest.

What happens if my site is down during a scan?

If a scan fails because the site is unreachable, the snapshot is recorded with an error status and the failure is counted. After three consecutive scan failures, monitoring for that site is automatically paused and you receive an email notification. You can re-enable monitoring from your dashboard once the site is accessible again.

Related guides

Why Continuous Website Security Monitoring MattersHow to Check Security Headers for a WebsiteWhy Your Security Headers Are Not WorkingWebsite Security Monitoring Product Page

Was this article helpful?