Getting started

Guardr scans your site externally — no code changes, no agents, no server access required. This guide walks you through adding a site, reading your security score and setting up alerts so you know the moment something changes.

1 — Add your first site

From the dashboard, click Add site and enter your domain — for example example.com. You do not need to include https://. Guardr normalises the input and begins a full external scan immediately.

The first scan typically completes within 30 seconds. Once done, your site appears in the dashboard with an A–F security grade and a list of findings sorted by severity.

Free plan: the top 3 critical/high-severity findings are shown in full. The remaining findings are blurred with an upgrade prompt. All findings are visible on Solo+.

Each plan has a site limit. You can manage or remove sites at any time from Dashboard → Sites.

Plan	Sites	Scan frequency	History
Free	1	Weekly	7 days
Solo	5	Daily	14 days
Starter	15	Daily	30 days
Pro	50	Every 6 hours	90 days
Agency	150	Hourly	1 year

2 — Understanding your security score

Every site receives a letter grade from A (best) to F (worst), calculated from a weighted score across five scan categories. The numeric score runs 0–100.

Category	Weight	What is checked
TLS / SSL	28%	HTTPS enforcement, HTTP→HTTPS redirects, HSTS header, redirect chain depth, certificate expiry
Security headers	28%	Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Exposure paths	20%	Publicly accessible .git, .env, phpinfo.php, WordPress admin and other sensitive paths
Cookie security	14%	Secure flag, HttpOnly flag and SameSite attribute on authentication and session cookies
DNS security	10%	DNSSEC validation, CAA records (checked via DNS-over-HTTPS)

In addition to the graded categories, Guardr scans your live JavaScript bundles for exposed API keys — OpenAI, Anthropic, Stripe (live keys), AWS access keys, Google AI / Gemini keys and Supabase service_role JWTs. A confirmed secret drops the exposure score to 0 and will lower your overall grade.

Free plan — what "Basic security score" means: you receive the full A–F grade and overall numeric score. The findings list shows the top 3 critical and high-severity issues in full, including remediation instructions. All remaining findings are blurred with an upgrade prompt. Upgrade to Solo+ to see every issue and fix.

The grade thresholds and per-category scoring weights are documented in detail on the Methodology page.

Reading the findings list

Each finding shows its severity (critical, high, medium or low), the affected category and platform-specific remediation instructions for Cloudflare, Nginx and Apache. Apply the fix for your platform and re-scan to confirm the issue is resolved.

3 — Configure alerts

Guardr sends email alerts when your site changes state. Alerts are configured per site from the Alerts section on the site detail page. Each alert type has an independent cooldown to prevent repeated notifications for the same condition.

Alert types

Alert	Plan	Trigger
Downtime	Free+	3 out of 3 global regions confirm the site is unreachable (see Uptime monitoring)
Recovery	Free+	Site returns to reachable after a confirmed outage
Grade drop	Solo+	Security grade drops by one or more levels (e.g. B → C)
SSL expiry	Solo+	TLS certificate expires within 30 days (first alert) or 7 days (second alert)
Weekly summary	Free+	Scheduled weekly digest of score, top issues and SSL status — content varies by plan

What a grade-drop alert contains

When Guardr detects a grade drop, the email includes:

• The old and new grade (e.g. C → C-)
• A list of newly detected issues since the previous scan
• The new numeric score and detection timestamp
• A View Details link to your dashboard where you can open the site and review the scan history

4 — Uptime monitoring

Guardr probes each site on a regular interval using an HTTP HEAD request with a GET fallback. The probe interval depends on your plan.

Plan	Probe interval
Free	Every 5 minutes
Solo	Every 5 minutes
Starter	Every 3 minutes
Pro	Every 1 minute
Agency	Every 1 minute

How outage confirmation works

A single failed probe does not trigger an alert. On the first failure, Guardr fans out to three independent Durable Object probes in separate global regions:

• enam — US East
• weur — Western Europe
• apac — Asia Pacific

All three regions must confirm the failure (3/3) for Guardr to record a real outage and fire an alert. If fewer than two regions confirm, the check is recorded as a transient blip and no alert fires. This prevents false alarms from regional network issues or brief WAF responses.

Once monitoring has started, a 3-region verified badge appears in the uptime dashboard to indicate that the monitoring system uses multi-region confirmation.

Response codes

Not every non-200 response means the site is down. Guardr treats the following codes as expected behaviour and records the site as UP:

• 403, 429, 503 — WAF blocks, rate limits and maintenance responses
• 520, 521, 522, 524, 527 — Cloudflare transient errors (not alerted)

The following codes are treated as real failures that contribute to outage confirmation:

• 523 — Origin unreachable
• 530 — DNS resolution failure

5 — Slack, Teams and Discord webhooks

Pro+

On Pro and Agency plans, Guardr can post alert notifications to a Slack, Teams or Discord channel via incoming webhooks. Configure the webhook URL in the Alerts section on the site detail page, under Webhook.

Slack

1. In Slack, go to Apps → Incoming Webhooks and create a new webhook for your target channel.
2. Copy the webhook URL (starts with https://hooks.slack.com/services/…).
3. Paste it into the Webhook field in the Alerts section and save.

Teams

1. In Teams, open the channel you want to receive alerts in.
2. Click ⋯ → Connectors → Incoming Webhook → Configure.
3. Copy the generated webhook URL and paste it into the Webhook field in the Alerts section.

Discord

1. In Discord, open your server and go to Server Settings → Integrations → Webhooks.
2. Click New Webhook, select your target channel and copy the webhook URL.
3. Paste it into the Webhook field in the Alerts section and save.

Webhook alerts fire for the same events as email alerts: downtime, recovery and grade drops. You can have both email and webhook active simultaneously — they are independent.

6 — API keys

Solo+

API keys let you query scan results and trigger scans programmatically. Keys are managed from Dashboard → Settings → API Access.

Generate a key

1. Go to Dashboard → Settings → API Access and click Create API key.
2. Enter an optional label (e.g. "CI pipeline") and click Create key.
3. Copy the key immediately — it is displayed only once and cannot be retrieved again.

Revoke a key

Click Revoke next to any key to invalidate it immediately. In-flight requests using the revoked key will stop working immediately.

Quotas

Guardr enforces two independent limits on API usage:

Per-domain rescan TTL. After triggering a scan for a domain via POST /v1/scan, the same key cannot rescan that domain until the TTL window expires. The window varies by plan:

Plan	Keys	Per-domain rescan window	Burst limit
Free	1	7 days	5 req/min
Solo	1	24 hours	15 req/min
Starter	1	24 hours	30 req/min
Pro	2	6 hours	60 req/min
Agency	5	1 hour	120 req/min

Burst limit. Each key is capped at a per-minute request rate regardless of domain. Exceeding either limit returns 429 with an error field of quota_exceeded or rate_limit_exceeded and a retry_after value in seconds.

Scanning multiple domains

A bulk scan endpoint is not yet available. To scan multiple domains, call POST /v1/scan in a loop with a delay between requests to stay within your burst limit.

For full endpoint documentation, authentication details and migration from SecurityHeaders.com, see the API reference.