Get paged when a security header disappears.
A one-time scan tells you your header posture today. But the dangerous change is the header you set months ago that a routine deploy silently strips. Merlonix re-checks your response security headers on a schedule and alerts you the moment one regresses.
How it works
01
Turn it on for an asset
Enable HTTP security-header monitoring on any monitored asset. It costs nothing extra to run — one deterministic homepage request per check, no crawling, no AI.
02
We re-grade on your cadence
On the asset’s normal check cadence, Merlonix fetches the homepage and grades the six core response headers, recording which are present and an A–F letter grade over time.
03
We watch for a regression
When a header that used to be present goes missing between two definitive checks — a deploy drops HSTS, a proxy config strips CSP — that transition is a genuine, low-noise regression, not a one-off blip.
04
You get an alert
A dropped header pages you with a warning naming exactly which header disappeared; when it comes back you get an info recovery alert. An unreachable site records an “unknown” and never alerts.
Headers we watch
The six core headers, re-checked on a schedule.
We grade the same headers a good scanner does — then keep grading them, so a header that quietly disappears becomes an alert instead of a surprise on your next audit.
Why continuous beats a one-time scan
Catch the silent deploy regression
The dangerous case isn’t the header you never set — it’s the one you set months ago that a routine deploy or a proxy change silently strips. A one-time scan you ran at launch can’t see that; a scheduled re-check does.
Header quality, not just presence
We go past a checkbox: we flag an HSTS header that is published but effectively off (max-age 0) and count Set-Cookie headers missing the Secure flag — posture problems a present/absent scanner reports as “fine.”
One panel with the rest of your posture
Header regressions land in the same alert stream and asset detail as your SSL expiry, DNS, DNSSEC and uptime checks — so a header drop reaches the same person, the same way, as everything else you monitor.
What we promise — and what we don’t
We watch your headers. We don’t change your server.
Merlonix re-checks your six core response security headers on your asset’s cadence and alerts you when a present header disappears. It is informational — the grade is not folded into a pass/fail score, and an unreachable site is recorded as unknown, never an alert. We tell you, continuously and precisely, which header regressed; the fix — restoring the header at your origin, proxy, or CDN — lives on your side. No fabricated grades, no guarantees about your security beyond what the headers themselves say.
Common questions
How is this different from a one-time security-header scan?
A scanner (including our own free /tools/security-headers tool) tells you your header posture at the moment you run it. Continuous monitoring re-checks the same six core headers on your asset’s schedule and alerts you when one that used to be present silently disappears — the regression a one-time scan run at launch can never catch.
Which headers do you check?
The six core response security headers: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. We also flag two quality issues a present/absent check misses: an HSTS header that is effectively disabled (max-age 0) and Set-Cookie headers missing the Secure flag.
When does it alert me?
When a core header goes from present to absent between two definitive checks, you get a warning alert naming the dropped header. When it is restored, you get an info recovery alert. If the site is unreachable or returns a non-2xx response, the check is recorded as “unknown” and never alerts — so a transient outage is never misread as a header regression.
Does the header grade affect a pass/fail score?
No. Security-header monitoring is informational: the letter grade and the alerts stand on their own and are not folded into any aggregate health or compliance score. That keeps the monitored check consistent with the free scanner and the audit report, which also keep the header grade out of scoring.
How much does it cost to run?
The check itself is a single deterministic homepage request on your existing check cadence — no AI, no third-party API, no per-check fee. It is available to enable on your monitored assets; see the pricing page for which plan fits the assets you want to watch.
Stop finding out at your next audit.
Turn on security-header monitoring and get paged the moment a header regresses. Start the full-workspace trial — 14 days, no card.