Defaults.Exposed › Fixes
Fix your domain security — free, step-by-step guides
Plain-English guides to fixing every issue we grade — SPF, DKIM, DMARC, DNSSEC, TLS, certificates and HTTP security headers. Each one explains what it is, what it can cost your business, and exactly how to set it up on your provider.
- CAA records
A CAA record is a short instruction in your domain settings that names which certificate companies are allowed to issue the 'padlock' security certificate for your website. With it switched on, no other company can quietly create a valid certificate in your name. - CDN / WAF & hosting
Two reads of the plumbing behind your website: whether you sit behind a protective shield (a CDN with a Web Application Firewall, like Cloudflare) that filters attacks and absorbs traffic spikes, and a map of who actually runs your DNS, website and email. Both are informational on our scoring — they do not move your grade — but they describe how exposed your origin server is to attack and outage, and how tangled your providers are. A shield in front and a sensibly split set of providers is what resilient businesses look like. - Clickjacking protection (X-Frame-Options)
A one-line instruction that tells browsers not to let other websites secretly load your site inside their own. Without it, a scammer can hide your real, logged-in pages behind a fake page and trick your customers into clicking things they never meant to — approving a payment, changing a password, granting access. - Content-Security-Policy (CSP)
A Content Security Policy is a safety rule your website hands to every visitor's browser, telling it exactly which code is allowed to run. Without one, if anything malicious ever lands on a page — through a comment box, a hacked plugin, or a third-party script — the browser will run it freely, including code that quietly skims your customers' card numbers and passwords as they type, with the padlock still showing. - Cross-origin isolation headers (COOP / CORP / COEP)
Three optional browser instructions that control how other websites are allowed to interact with yours — opening it in popups, embedding its images and scripts, or pulling its resources into their own pages. They are modern hardening, not a basic must-have, and on our scoring they are informational: missing them does not lower your grade. But the two safe ones close a quiet phishing and bandwidth-theft gap, and a careful buyer's IT team will notice when they are present. - DKIM
DKIM is the invisible tamper-proof seal on every email your business sends. It lets the receiving mail provider confirm the email genuinely came from you and arrived unchanged. Without it, your mail is easier to fake, easier to alter, and far more likely to land in spam. - DMARC (Email Spoofing Protection)
DMARC is the one setting that actually tells the world's mail providers to BLOCK emails that fake your business's name. SPF and DKIM check the locks; DMARC decides what happens when a forgery fails the check — bin it, flag it, or wave it through. Set wrong, your domain is fully forgeable; set right, impersonation stops at the inbox. - DNSSEC
DNSSEC is a digital seal on your domain's address book. It lets the internet prove that the answer to 'where does this domain live?' really came from you and wasn't tampered with on the way. Without it, the answer can be forged — and your visitors quietly sent somewhere else. - HSTS (Strict-Transport-Security)
HSTS is a one-line instruction your website gives every browser: 'always come back to me over the secure, encrypted connection — never the insecure one.' Without it, your padlock can be quietly stripped away on shared WiFi, and the very first visit to your site is exposed. - HTTPS & forced-secure redirect
HTTPS is the padlock in the browser bar — it encrypts everything that travels between your website and your customers so it can't be read or tampered with in transit. The forced-secure redirect makes sure visitors land on that encrypted version automatically, even when they type your address without 'https://'. Together they are the single most basic thing a website needs to be considered safe at all. - IPv6 support
IPv6 is the newer, much larger version of the internet's addressing system, brought in because the old one (IPv4) has run out of room. Adding IPv6 support means your website and email can be reached over the modern network as well as the old one. On our scoring this is informational — not having it does not lower your grade — but it is a real-world reach issue: a growing slice of mobile and overseas customers connect over IPv6-only networks, and they reach you smoothly only if you support it. The fix is free and lives in your DNS and hosting setup. - MIME-sniffing protection (X-Content-Type-Options)
A one-line header that stops browsers from guessing what a file really is. Without it, a file someone uploads to your site — or a file on your own pages — can be mis-read by the browser and run as code, which is exactly how some attacks turn a harmless-looking upload into a way to steal your customers' sessions. - Modern encryption (TLS version & ciphers)
TLS is the lock that scrambles the data flowing between your visitors and your website. Two things make that lock trustworthy: using a modern version of TLS (not the old, broken ones), and using strong ciphers (the actual scrambling recipe). This page covers both — plus a few related settings that don't affect your grade but are worth knowing about. - MX Records (Mail Setup)
An MX record is the signpost that tells the rest of the world where to deliver email addressed to your domain. If it's missing or broken, every message sent to your business — customer enquiries, password resets, invoices, contracts — bounces straight back to the sender. No MX, no inbox. - Nameserver setup (diversity & SOA)
Your nameservers are the directory that tells the whole internet where to find your website and email. If they all sit on one network and it goes down, your business vanishes from the internet at the same moment — no site, no email, nothing — and a sloppy clock setting on those servers can leave changes you make stuck for days. - Referrer-Policy
A Referrer-Policy is a one-line instruction your website hands to every visitor's browser, controlling how much of your web address travels with them when they click a link to another site. Without it, the full address of whatever page they were on — search terms, account numbers, reset links, internal page paths and all — is quietly handed to the next site they land on, including advertisers, analytics firms, and anywhere else a link points. - Reverse DNS (PTR)
Reverse DNS is the ID badge for the server that sends your business email. When a receiving provider like Gmail or Microsoft 365 looks up who's behind the sending address and gets a name that checks out, your mail looks legitimate. When there's no badge — or the name and number don't agree — your perfectly real invoices and quotes get treated as suspicious and quietly junked or rejected. - SPF (Sender Policy Framework)
SPF is the line in your domain's settings that lists which mail services are allowed to send email as your business. Without it, anyone in the world can send email that looks like it came from you — and your own genuine email is more likely to land in customers' spam. - TLS certificate health
Your SSL/TLS certificate is the digital ID card that proves a visitor is really talking to your website — not an impostor — and powers the padlock in the browser. This check looks at whether that certificate is valid and trusted, not about to expire, and built with strong, modern cryptography.