Most site owners think of security as a single question - is my site secure, or is it not ? The answer they usually point to is the padlock icon in the browser's address bar. If the padlock is there, the site is secure. If it is not, something is wrong.

That padlock means one thing - the connection between the visitor's browser and your server is encrypted using TLS. That is genuinely important. Without it, every piece of data the visitor sends or receives travels in plain text across every network between them and your server. But encryption is not the same as protection. A site with a valid certificate can still be vulnerable to clickjacking, where an attacker loads your page inside an invisible frame. It can still leak session cookies to an injected script. It can still be impersonated in phishing emails because no DNS authentication records exist.

None

The padlock means encrypted, not protected.

Security professionals describe this problem using a concept called defense in depth. Rather than relying on a single control, you build multiple independent layers, each covering a different attack surface. Think of it like a building. A locked front door is important, but it works better alongside window locks, an alarm system, security cameras, and a safe for valuables. Each layer protects against a different kind of threat, and together they make the building far harder to breach than any single lock would on its own.

For websites, defense in depth means six distinct layers of protection, arranged like concentric rings around the thing you are ultimately trying to protect, the visitor's session.

A valid TLS certificate secures the connection. It says nothing about what happens once data arrives at either end. Every section below covers a layer that HTTPS alone cannot defend.

The Six Rings of Defense

The diagram below shows all six layers arranged as concentric circles. The visitor's session sits at the center because that is what every layer exists to protect. Each ring outward is another defense an attacker must bypass to reach it.

None

The key insight is that these rings are not interchangeable. Each one covers a different category of attack. A strong Transport layer does not compensate for missing security headers, and perfect headers do not help if session cookies are misconfigured. The sections below walk through each ring from the inside out, explaining what it protects, what it defends against, and what happens to the rings inside it when it fails.

Ring 1: Session and Identity

This is the innermost ring because it is the thing every other layer exists to protect. When a visitor logs into your site, the server creates a session and hands the browser a token, usually stored in a cookie, that represents the visitor's identity. Every subsequent request includes that token to prove who the visitor is. If an attacker gets hold of that token, they become the visitor. They can read private data, change account settings, make purchases, or do anything the real user could do.

Protecting this ring comes down to how session tokens are stored and transmitted. Cookie flags are the primary mechanism.

Beyond cookie flags, this ring also includes authentication design decisions, how long sessions last before they expire, whether tokens are rotated after login, whether multi-factor authentication is offered, and how password reset flows are secured. These are application-level choices that no external scanner can evaluate. They require code review, threat modeling, and testing as part of your development process.

What this ring defends against

  • Session hijacking through stolen cookies
  • Cross-site request forgery (CSRF)
  • Token leakage over unencrypted connections
  • Brute force attacks on weak session identifiers
  • Client-side script access to authentication tokens

If this ring fails: the attacker becomes the user. Sessions can be stolen, actions can be forged on the user's behalf, and accounts can be taken over entirely. No outer ring can undo this once the session token is in the attacker's hands.

How to verify: Open your browser's DevTools, go to the Application tab, and inspect the cookies for your site. Check that session cookies have secure attributes set. For deeper session management review, use penetration testing tools like Burp Suite or OWASP ZAP to test token entropy, session fixation, and expiration behavior. SiteSecurityScore helps look at all the cookies your site sets on client side and identify any shortcomings with the security.

Ring 2: Server Response

Every time your server sends a page to a visitor's browser, it includes HTTP response headers alongside the HTML. Some of these headers are instructions that tell the browser how to handle the content: which scripts are allowed to run, whether the page can be loaded inside a frame on another site, whether the browser should guess file types, and how much of the page URL should be shared with third parties.

Without these headers, the browser falls back to defaults that were designed for compatibility, not security. Those defaults are decades old. They allow any script to run, any site to frame your pages, any resource type to be guessed, and full URLs to be sent to every external resource. Security headers override these defaults with explicit rules.

The most important security headers form a coordinated defense. Content-Security-Policy controls which scripts, styles, and resources can load, making cross-site scripting (XSS) far harder to exploit. Strict-Transport-Security tells the browser to only connect over HTTPS, even if someone types an HTTP URL. X-Frame-Options blocks clickjacking by preventing your page from being embedded in an iframe. X-Content-Type-Options stops browsers from guessing file types, a behavior called MIME sniffing that can turn an uploaded text file into executable code. Referrer-Policy limits how much of the current URL is leaked to external resources.

What this ring defends against

  • Cross-site scripting (XSS) via injected scripts
  • Clickjacking through invisible iframe overlays
  • MIME type confusion that turns uploads into executable code
  • URL and data leakage through referrer headers
  • Unauthorized browser feature access (camera, microphone, geolocation)

If this ring fails: the browser does not know what to block. It falls back to permissive defaults that leave Ring 1 exposed. An attacker who can inject a script now has unrestricted access to the page, including any session cookies that lack the HttpOnly flag. A site without framing protection can be overlaid with invisible elements to trick visitors into clicking buttons they cannot see.

Ring 3: Transport

This is the layer most people think of when they hear "website security." Transport Layer Security (TLS) encrypts the data traveling between the visitor's browser and your server. When it works correctly, no one sitting between the two endpoints can read or modify the traffic. This is what the browser padlock icon represents.

But "having a certificate" is the starting point, not the finish line. The certificate itself can be misconfigured, it might be expired, missing intermediate certificates in the chain, or negotiating connections using outdated protocol versions like TLS 1.0 or 1.1 that have known vulnerabilities. The cipher suites your server accepts matter too. Weak ciphers like RC4 and 3DES are vulnerable to attacks that can decrypt traffic.

Mixed content is another transport layer problem. If your HTTPS page loads a single resource over plain HTTP, that resource travels unencrypted and can be modified by an attacker on the network. Modern browsers block mixed active content like scripts automatically, but they may still allow mixed images, and either way the security indicator degrades.

What this ring defends against

  • Eavesdropping on data in transit
  • Man-in-the-middle attacks that modify page content
  • SSL stripping that downgrades HTTPS to HTTP
  • Data tampering between server and browser

If this ring fails: everything in Rings 1 and 2 travels in plain text. Security headers, session cookies, authentication tokens, form data, and page content are all visible to anyone on the network. An attacker at a coffee shop, a compromised router, or a malicious ISP can read and modify everything the visitor sees and sends.

Ring 4: Network Perimeter

The inner three rings all involve configuration that your server sends to the browser. This ring is different. Network perimeter defenses sit between the internet and your application, filtering traffic before it ever reaches your server. They are the bouncers at the door.

A web application firewall (WAF) inspects incoming requests and blocks those that match known attack patterns, such as SQL injection payloads or cross-site scripting attempts in query parameters. Rate limiting caps how many requests a single client can make in a given window, which slows down brute force login attempts and credential stuffing. Bot protection distinguishes between human visitors and automated scripts, blocking scrapers and abuse while allowing legitimate crawlers. DDoS mitigation absorbs or deflects volumetric traffic floods that would otherwise overwhelm your server.

These protections are typically provided by CDN providers like Cloudflare, AWS CloudFront, or Fastly, or by dedicated WAF products. They are infrastructure decisions rather than something you configure in your application code, and they are not verifiable by inspecting browser responses. That makes this ring harder to audit from the outside, but no less important.

What this ring defends against

  • Brute force and credential stuffing attacks
  • Automated scanning and exploitation bots
  • Volumetric DDoS that takes the site offline
  • Application layer exploits caught by WAF rules

If this ring fails: malicious traffic reaches your application unfiltered. Bots hammer login forms thousands of times per minute. Scrapers copy your content. A single traffic spike from a botnet can bring the site down for all legitimate visitors. The inner rings still protect against many attacks, but the application has to handle every malicious request on its own.

Ring 5: Domain Trust

This ring operates entirely outside your web server. It lives in DNS, the system that translates your domain name into an IP address. DNS records do more than routing. They establish your domain's identity and trustworthiness across the broader internet. Without them, anyone can claim to be you.

Email authentication is the largest part of this layer. SPF (Sender Policy Framework) publishes a list of mail servers authorized to send email from your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing messages that receiving servers can verify. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties SPF and DKIM together with a policy that tells receiving servers what to do when a message fails both checks, nothing, quarantine it, or reject it outright. Together, these three records make it dramatically harder for an attacker to send phishing emails that appear to come from your domain.

CAA (Certificate Authority Authorization) is the other key record. It specifies which certificate authorities are allowed to issue TLS certificates for your domain. Without it, any of the hundreds of public certificate authorities in the world can issue a certificate for your site. If one of them is compromised or tricked, an attacker can obtain a valid certificate and impersonate your domain convincingly enough to fool browsers.

What this ring defends against

  • Phishing emails sent from your domain
  • Unauthorized TLS certificate issuance
  • Domain impersonation and brand abuse
  • DNS poisoning and hijacking

If this ring fails: attackers bypass your website entirely. They send phishing emails that appear to come from your domain, and receiving mail servers have no way to tell the difference. A rogue certificate authority can issue a certificate for your domain, enabling convincing impersonation. The inner rings are untouched because the attack never goes through your server at all.

Ring 6: Monitoring and Visibility

The five inner rings are all preventive, they exist to stop attacks from succeeding. This outermost ring is different. Monitoring does not block anything. It watches. Its job is to detect when one of the inner rings weakens, breaks, or disappears.

Security configurations are not static. They change every time you deploy code, update a server, rotate a certificate, or modify a DNS record. A framework upgrade can silently remove a security header. A server migration can reset TLS settings. A DNS change can accidentally delete a DMARC record. These things happen quietly, and without monitoring, they persist until someone reports a problem or an attacker finds the gap.

Effective monitoring for website security includes several components. Content Security Policy violation reports tell you when scripts or resources load that your policy does not allow, which can signal either an XSS attempt or a policy that needs updating. Certificate transparency logs let you see every TLS certificate issued for your domain, so you can detect unauthorized issuance. Automated security scanning checks your headers, TLS, cookies, and DNS on a regular schedule and alerts you when something changes. Change detection compares scan results over time and flags regressions.

Security configurations change with every deploy. Without continuous monitoring, you are relying on memory and luck to catch regressions before an attacker does.

What this ring defends against

  • Undetected security regressions after deploys
  • Expired certificates discovered by customers instead of you
  • Silent header removal during server updates
  • Configuration drift that accumulates over months

If this ring fails: breaches persist unnoticed. A deploy removes your Content Security Policy on a Tuesday. Nobody checks. Two weeks later, a stored XSS payload fires. An expired certificate starts showing browser warnings to visitors over a holiday weekend. Without monitoring, the time between a security regression and its discovery is measured in days or weeks, not minutes.

Testing all six layers

No single tool covers all six rings. Penetration testing tools like Burp Suite and OWASP ZAP are best for Rings 1 and 4, where you need to probe session handling and network filtering.

SiteSecurityScore is one tool that aims to uncovering critical security issues in all these areas. It uses a deep scan approach to uncover leaked secrets, audit your headers, TLS setup, cookie attributes, and DNS records, and track changes over time. It is particularly useful for catching regressions after deploys, which is where Ring 6 intersects with every other layer.

Originally published at https://www.sitesecurityscore.com.