Content Security Scan is a free, built-in security feature that analyzes your page content for signs of compromise, phishing, or malicious modifications. Unlike API-based security services like VirusTotal or Google Safe Browsing, this runs every check cycle at zero additional cost.
What It Detects
The scan looks for patterns across several threat categories:
Google Ban Indicators (Critical)
- \"Deceptive site ahead\" warnings
- \"Site ahead contains malware\" notices
- Google Safe Browsing warning text embedded in page content
These patterns indicate your site may have been flagged by Google and is showing warning pages to visitors.
Hack/Defacement (Critical)
- \"Hacked by\" signatures
- \"Site has been compromised\" notices
- Attacker tags and defacement messages
- \"This site has been hacked\" text
Hosting Warnings (High)
- \"Account suspended\" notices from hosting providers
- \"Terms of service violation\" messages
- Hosting provider suspension pages
Phishing Indicators (High)
- \"Enter your password\" on unusual pages
- \"Verify your account\" combined with credential forms
- Credit card request patterns
- Social security number requests
Fake Security Alerts (High)
- \"Virus detected\" scareware messages
- \"Your computer is infected\" alerts
- Fake antivirus warnings
Urgency Tactics (Medium)
- \"Act now\" with suspicious context
- \"Immediate action required\"
- \"Your account will be closed\"
Suspicious Forms (Medium)
- JavaScript URLs in form actions
- Base64-encoded form submissions
- Hidden credential collection forms
How Scoring Works
Each detected pattern adds points to a threat score between 0 and 100:
- 0-19 (Clean): No threats detected, your site looks normal
- 20-49 (Warning): Some suspicious patterns found, review recommended
- 50+ (Threat): High-confidence threat indicators detected
Critical patterns (like Google bans or hack defacement) add 40-50 points, ensuring a single detection triggers a threat alert.
Handling False Positives
Some legitimate websites may trigger detections. For example:
- Security blogs discussing phishing techniques
- Sites with support content about account verification
- Demo pages showing security examples
You can whitelist false positives by clicking the \"Ignore\" button next to any detection. This adds the pattern to your whitelist and it will be skipped in future scans.
Enabling/Disabling
Content Security Scan is enabled by default for all HTTP monitors. You can toggle it:
- Go to the monitor edit page
- Scroll to the Security Checks section
- Toggle \"Enable Content Security Scan\"
- Save changes
Alerts
When threats are detected, you receive notifications based on your alert settings:
- Email: Detailed alert with score and detected patterns
- Telegram: Quick notification with threat summary
- In-app: Notification center alert
Alerts have a 4-hour cooldown to prevent spam from repeated detections of the same threat.
Comparison with API-Based Security
| Feature | Content Security Scan | Google Safe Browsing / VirusTotal |
|---|---|---|
| Cost | Free | Requires API key |
| Check Frequency | Every check cycle | Rate-limited (daily/weekly) |
| Detection Type | Page content patterns | External database lookup |
| Best For | Hacks, defacement, hosting issues | Known malware URLs, phishing databases |
Recommendation: Use both for comprehensive protection. Content Security Scan catches visible changes immediately, while API services check against global threat databases.