Documentation

What It Checks

Monitors your SSL/TLS certificate expiration, validity, and configuration. Ensures your site has HTTPS enabled and the certificate is trusted.

Why It Matters

Expired or invalid SSL certificates cause browser warnings, hurt SEO rankings, and can lose customer trust. Google Chrome shows "Not Secure" warnings for sites without valid HTTPS.

What We Monitor

• Expiration Date: Days until certificate expires
• Validity: Certificate is properly signed and trusted
• Configuration: Strong cipher suites and protocols

How to Fix Issues

1. Renew through your hosting provider or certificate authority
2. Use Let's Encrypt for free automated certificates
3. Set up auto-renewal to prevent future expirations
4. Update DNS records if moving to a new certificate

What It Checks

Monitors domain registration details including expiration date, registrar, name servers, and contact information.

Why It Matters

Expired domains mean your website goes offline completely. Domain theft or unauthorized transfers can happen if you're not monitoring your registration.

What We Monitor

• Expiration: Days until domain expires
• Registrar: Who manages your domain
• Name Servers: DNS configuration
• Status: Transfer lock and DNSSEC

How to Fix Issues

1. Log into your domain registrar account
2. Enable auto-renewal to prevent expiration
3. Update payment information if needed
4. Enable transfer lock to prevent unauthorized transfers
5. Consider enabling DNSSEC for additional security

What It Checks

Monitors all DNS records for your domain including A, AAAA, MX, CNAME, TXT, NS, CAA, and SOA records. Tracks changes to detect unauthorized modifications.

Why It Matters

DNS changes can break your website, email, or other services. Unauthorized DNS changes are a common attack vector for domain hijacking and traffic redirection.

Record Types We Monitor

• A & AAAA: Your website's IP addresses
• MX: Email server configuration
• TXT: SPF, DKIM, DMARC, and verification records
• NS: Name server delegation
• CAA: Certificate authority authorization

Understanding Changes

DNS changes can be intentional (server migration, CDN setup) or malicious (hijacking attempt). Always verify changes with your team.

What It Checks

Analyzes HTTP security headers that protect against common web attacks like XSS, clickjacking, MIME sniffing, and data injection.

Why It Matters

Missing security headers leave your site vulnerable to attacks. Modern browsers use these headers to enable built-in security protections.

Headers We Check

• Strict-Transport-Security (HSTS):Forces HTTPS connections to prevent downgrade attacks
• X-Frame-Options:Prevents clickjacking by controlling iframe embedding
• X-Content-Type-Options:Prevents MIME sniffing attacks
• Referrer-Policy:Controls how much referrer information is shared
• Permissions-Policy:Controls browser features like camera, microphone, geolocation

Understanding Grades

How to Fix Issues

Add headers to your web server configuration:

# Nginx
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

# Apache
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"

What It Checks

Analyzes your Content Security Policy configuration, which controls what resources (scripts, styles, images) can load on your site and from where.

Why It Matters

CSP is your primary defense against XSS (Cross-Site Scripting) attacks. Even if an attacker injects malicious code, a strong CSP prevents it from executing.

What We Analyze

• Policy Presence: Header, report-only, or meta tag
• Unsafe Keywords: 'unsafe-inline', 'unsafe-eval'
• Directive Coverage: script-src, style-src, img-src, etc.
• Modern Features: Nonces, hashes, strict-dynamic
• Protection Directives: object-src, base-uri, frame-ancestors

Common Issues & Fixes

What It Checks

Scans your HTTPS site for resources (scripts, images, CSS) loaded over insecure HTTP connections.

Why It Matters

Modern browsers block or warn about mixed content. Active mixed content (scripts, iframes) is blocked entirely. Passive mixed content (images) shows warnings. This breaks functionality and erodes trust.

Severity Levels

How to Fix Issues

1. Update all resource URLs from http:// to https://
2. Use protocol-relative URLs (//example.com/script.js) if the resource supports both
3. Use Content-Security-Policy: upgrade-insecure-requests to auto-upgrade
4. Test thoroughly after changes

What It Checks

Runs Google PageSpeed Insights on mobile and desktop to measure performance, accessibility, best practices, and SEO scores.

Why It Matters

Page speed affects user experience, conversion rates, and Google rankings. Studies show 1 second delay = 7% reduction in conversions. Google uses Core Web Vitals as ranking signals.

Metrics We Track

• First Contentful Paint (FCP): When first content appears
• Largest Contentful Paint (LCP): Main content loads (Core Web Vital)
• Cumulative Layout Shift (CLS): Visual stability (Core Web Vital)
• Total Blocking Time (TBT): Page interactivity delay
• Speed Index: How quickly content is visually displayed

Understanding Scores

Common Improvements

• Optimize and compress images (use WebP)
• Minify CSS and JavaScript
• Enable compression (gzip/brotli)
• Implement browser caching
• Use a CDN for static assets
• Lazy load images and videos
• Eliminate render-blocking resources

What It Checks

Crawls your website to find broken links, missing images, dead CSS/JavaScript files, and excessive redirects.

Why It Matters

Broken links frustrate users, hurt SEO rankings, and look unprofessional. Google considers broken links a sign of poor site maintenance. Users may leave if they encounter too many 404 errors.

What We Find

• 404 Errors: Pages that don't exist
• 500 Errors: Server errors
• Redirects: Excessive redirect chains
• Timeouts: Resources that take too long to load
• Mixed Content: HTTP resources on HTTPS pages

How to Fix Issues

1. Review the broken links report in your dashboard
2. Update links to correct URLs or remove them
3. Set up 301 redirects for moved pages
4. Create a custom 404 page with helpful navigation
5. Use relative URLs for internal links when possible
6. Regularly audit external links (they change often)

What It Checks

Scans your website for accessibility issues using axe-core following WCAG 2.1 Level AA guidelines. Tests multiple pages from your sitemap.

Why It Matters

15% of the world's population has some form of disability. An inaccessible site excludes millions of potential users. Many countries have legal requirements (ADA, Section 508, EAA). Better accessibility also improves SEO and overall usability.

What We Test

• Color Contrast: Text is readable for low vision users
• Keyboard Navigation: All functionality works without a mouse
• Screen Reader Support: Proper ARIA labels and semantic HTML
• Form Labels: All form fields have proper labels
• Image Alt Text: All images have descriptive alternatives
• Heading Structure: Proper heading hierarchy (H1-H6)

Issue Severity

Page Limits by Plan

What It Checks

Pings your website every hour to verify it's online and responding. Measures response time and tracks downtime incidents.

Why It Matters

Website downtime means lost revenue, frustrated users, and damage to your brand. The faster you know about problems, the faster you can fix them. Studies show 88% of online consumers are less likely to return after a bad experience.

What We Monitor

• Site Status: Up or down
• Response Time: How fast your site responds
• HTTP Status: 200 OK, 404, 500, etc.
• Downtime Duration: How long outages last
• Uptime Percentage: Reliability over time

Understanding Uptime Percentages

Common Downtime Causes

• Server overload or crashes
• DNS configuration issues
• SSL certificate problems
• DDoS attacks
• Hosting provider outages
• Code deployment errors
• Database connection failures