Security Guides
Plain-English explanations of every check SiteAlertAI runs — what each one means, why it matters, and exactly how to fix it.
What Is HSTS and How Do I Enable It?
HTTP Strict Transport Security forces browsers to use HTTPS. Learn what HSTS does, how the preload list works, and how to enable it safely.
Content-Security-Policy Explained (and How to Fix a Weak One)
A Content-Security-Policy limits where scripts and other resources can load from. Learn how to write an effective CSP and avoid unsafe-inline.
Mixed Content: Why Your HTTPS Padlock Breaks
Mixed content is an insecure http:// resource loaded by an https:// page. Learn the difference between active and passive mixed content and how to fix it.
CAA Records: Control Which CAs Can Issue Your Certificates
A CAA DNS record restricts which certificate authorities may issue certificates for your domain. Learn how to add one and why it reduces mis-issuance risk.
security.txt: How Researchers Report Vulnerabilities to You
A security.txt file (RFC 9116) publishes a contact for reporting security issues. Learn where to put it and what to include.
Subdomain Takeover: The Dangling DNS Risk
A subdomain takeover happens when a CNAME points to a de-provisioned cloud service an attacker can claim. Learn how to find and fix dangling records.
TLS Cipher Strength: Forward Secrecy, AEAD and Weak Ciphers
Not all TLS ciphers are equal. Learn what forward secrecy and AEAD mean, and which weak ciphers (RC4, 3DES, CBC) to disable.
__Host- and __Secure- Cookie Prefixes Explained
Cookie prefixes let the browser enforce that a cookie is set securely. Learn the __Host- and __Secure- rules and why they prevent cookie attacks.