Security Checks

What is a security check?

A security check represents a domain you want to monitor. Each check stores the domain URL, which tests to run, the scan schedule, and a history of all past scans. Think of it as your monitoring configuration for a single domain.

Creating a check

Navigate to Security Checks and click New Check. You'll need to provide:

Domain

Enter your domain URL (e.g., https://example.com, app.example.com, or just example.com). StackShield will parse and normalize the domain automatically. You can monitor any publicly accessible domain — it doesn't need to be a Laravel application.

Scan schedule

Choose how often to run automated scans:

• Hourly — runs every hour, ideal for production-critical domains
• Daily — runs once per day at a time you choose (recommended for most domains)
• Weekly — runs once per week at a chosen day and time
• Monthly — runs once per month
• No schedule — manual scans only

For daily, weekly, and monthly schedules you can choose the time of day the scan runs. All times are in UTC.

Security tests

Select which security tests to include in scans. You can enable or disable individual tests, or use the Enable All / Disable All toggle. Tests are grouped into categories:

Advanced tests (Kali Linux)

Some tests use a Kali Linux container for deeper security analysis. These include SQLMap injection testing, Nikto web scanning, directory brute-forcing, WAF detection, and more. Advanced tests:

• Require domain verification (you must prove ownership via DNS TXT record)
• Are available on Pro and Business plans
• Take longer to run than standard tests

Domain verification

To run advanced (Kali-powered) tests, you must verify that you own the domain. This prevents abuse by ensuring tests are only run against domains you control.

1. Go to the check's settings and find the Domain Verification section
2. Copy the provided DNS TXT record value
3. Add a TXT record to your domain's DNS with the provided value
4. Click Verify — StackShield will check for the record and mark the domain as verified

DNS propagation can take up to 48 hours, but usually completes within minutes. You only need to verify once per domain.

Test configuration

Some tests have configurable settings. Click the settings icon next to a test to open its configuration drawer. Configurable tests include:

• Brute force protection — specify your login endpoint (default: /login)
• API rate limiting — specify your API endpoint to test (default: /api)
• CORS misconfiguration — specify the endpoint to check CORS headers on

Custom endpoints are saved per check, so different domains can have different configurations.

Managing checks

The checks list

The Security Checks page shows all your monitored domains with:

• Domain name and status (active/inactive)
• Latest scan results (pass/fail/warning counts)
• Schedule information
• Quick action to run a scan

Use the search bar to filter by domain name, or the filters to show only active, inactive, scheduled, or unscheduled checks.

Editing a check

Click on any check to view its details and edit its configuration. You can change the domain, update the scan schedule, enable/disable tests, or configure test-specific settings at any time.

Deactivating vs. deleting

Deactivating a check stops scheduled scans but preserves all scan history and issues. You can reactivate it later. Deleting a check permanently removes it and all associated data including scans, test results, and issues.

Plan limits

The number of domains you can monitor depends on your plan. If you've reached your limit, you'll need to upgrade or remove an existing check before adding a new one. See Billing & Plans for details on limits per plan.