What ExposureGrid actually scans

Why it matters

Most browser-facing TLS issues aren't cryptographic breaks. They're misconfigurations: expiring certs, mismatched hostnames, untrusted intermediates, or weak protocol versions left enabled by default.

Example findings

• Certificate expires in fewer than 14 / 30 days.
• Hostname does not match any subjectAltName.
• Server still negotiates TLS 1.0 or 1.1.
• HSTS missing on a host that already serves HTTPS-only.

Why it matters

Headers are the cheapest hardening you can ship. Missing or misconfigured headers leave easy wins for clickjacking, MIME sniffing, referrer leakage, and feature-policy abuse.

Example findings

• Strict-Transport-Security missing or has a short max-age.
• X-Content-Type-Options not set to nosniff.
• Referrer-Policy unset, leaking full URLs across origins.
• Permissions-Policy or COOP/COEP completely absent.

Why it matters

A weak CSP gives a false sense of XSS protection. ExposureGrid calls out the patterns attackers actually exploit: wildcards, unsafe-inline, missing default-src, and overly broad allowlists.

Example findings

• default-src missing or set to a wildcard.
• script-src includes unsafe-inline or unsafe-eval.
• object-src not explicitly set to 'none'.
• frame-ancestors missing on a host that should not be embedded.

Why it matters

Loose CORS policies are a common path to data exfiltration and CSRF bypass, especially when combined with cookies and SameSite=None.

Example findings

• Access-Control-Allow-Origin reflects the request Origin.
• Wildcard origin combined with Allow-Credentials.
• Missing Vary: Origin on origin-aware responses.
• Origins explicitly trusted that shouldn't be.

Why it matters

Auth cookies without HttpOnly are XSS-readable. Missing Secure leaks them on plaintext links. A wide Domain= scope leaks them to unrelated subdomains. These are still the most common cookie findings in the wild.

Example findings

• Session cookie missing HttpOnly.
• Cookie set without Secure on an HTTPS host.
• SameSite=None without Secure (rejected by current browsers).
• Domain=.example.com on a session cookie that should be host-scoped.

Why it matters

DNS is your sovereign perimeter. Stale records and concentrated authority are how subdomain-takeover and impersonation incidents start.

Example findings

• All nameservers concentrated on a single provider with no diversity.
• CNAME pointing to a third-party origin that no longer exists.
• Wildcard A/AAAA records with unclear ownership.
• Inconsistent SOA / TTL hygiene across the zone.

Why it matters

Even if you don't send mail from a domain, attackers can spoof it. A correct DMARC posture (reject plus alignment) is one of the highest-ROI brand-safety controls you can ship.

Example findings

• Missing DMARC record on a parked or transactional domain.
• DMARC policy left at p=none with no reporting destinations.
• SPF includes a sprawling include: chain that exceeds the 10-lookup limit.
• MTA-STS not published for mail-receiving domains.

Why it matters

Real attack surface lives behind layers of CDNs, proxies, and edge configurations. Knowing where requests actually terminate (and where headers are added or stripped) is critical context for any finding.

Example findings

• Headers added by an intermediate CDN that mask origin posture.
• Conflicting headers between origin and edge responses.
• Different TLS posture at edge versus origin.

Why it matters

Being honest about what was actually checked is a security posture in itself. ExposureGrid never silently degrades a scan into a fake clean result.

Example findings

• Mail-auth checks skipped because the domain has no mail records.
• TLS checks failed because the host did not respond on 443.
• Headers checks marked partial because the origin returned a non-200 status.