Security Scanning
Cassian Shield™ passively scans your store for security vulnerabilities and misconfigurations.
Cassian Shield™ analyses your store for security vulnerabilities and misconfigurations — things that could expose your store, your customers, or your data to risk. It works passively: it never sends malicious requests, never touches your database, and never disrupts your store or its visitors.
Think of it as the security audit your developers would run before a major launch — except Cassian Shield™ runs it on a schedule, automatically.
What Cassian Shield™ Checks
Security Headers
HTTP security headers are instructions your store sends to browsers to enforce secure behaviour. Missing or misconfigured headers are one of the most common and easiest-to-fix classes of security issues. Cassian Shield™ checks for:
| Header | What it does |
|---|---|
| Content-Security-Policy | Controls which scripts, styles, and resources can load on your pages |
| X-Frame-Options | Prevents your store from being embedded in iframes on other sites (clickjacking protection) |
| Strict-Transport-Security (HSTS) | Forces HTTPS connections — prevents downgrade attacks |
| X-Content-Type-Options | Prevents browsers from guessing file types (MIME sniffing protection) |
| Referrer-Policy | Controls what information is sent when visitors follow links away from your store |
| Permissions-Policy | Limits which browser features (camera, microphone, geolocation) your store can access |
Mixed Content
Mixed content occurs when an HTTPS page loads resources (images, scripts, stylesheets) via HTTP. This triggers browser security warnings that can alarm or deter visitors. Cassian Shield™ identifies every mixed-content resource on your store pages.
SSL/TLS Configuration
Beyond just checking whether your certificate is valid, Cassian Shield™ inspects:
- Certificate validity and expiry
- Protocol version (TLS 1.2 or 1.3 required — older versions are deprecated)
- Cipher strength
Information Disclosure
Some servers and error pages unintentionally reveal system information — software versions, server technology, or internal paths — that can assist an attacker in targeting your store. Cassian Shield™ checks for these common disclosure patterns.
Attack Surface
Cassian Shield™ checks for publicly accessible admin paths, backup files, configuration files, or other resources that should not be reachable from the internet.
Severity Levels
| Severity | What it means | Recommended action |
|---|---|---|
| Critical | Actively exploitable issue | Fix immediately |
| High | Significant risk, not immediately exploitable | Fix within days |
| Medium | Worth addressing, lower immediate risk | Fix when practical |
| Informational | Good to know, minimal security impact | Review at your discretion |
Critical findings should be treated as urgent. An actively exploitable issue leaves your store and your customers' data at risk. Click the finding for details and remediation steps.
How Scans Work
Cassian Shield™ is passive-only. It analyses your store the same way a security-conscious browser would — by requesting pages and inspecting the responses. It never:
- Sends attack payloads (no SQL injection tests, no XSS probes)
- Accesses your Shopify admin or backend
- Modifies data
- Touches your customer database
Scans typically complete in 2–3 minutes. Your store continues operating normally throughout.
Availability
Cassian Shield™ is available on Analyst plan and above.
How to Trigger a Scan
Security scans run on a regular schedule based on your plan. You can also trigger a manual scan at any time:
Go to Security in the sidebar.
Click Run scan in the top-right corner of the Security page.
The scan begins immediately. Status updates in real-time. Results appear when the scan completes (typically 2–3 minutes).
Where to See Security Data
Sidebar → Security shows:
- Scan status and last scan time
- Finding count broken down by severity (Critical, High, Medium, Informational)
- A detailed findings list — click any finding for a description of the issue and recommended remediation steps
How to Fix Findings
Each finding in the Security page includes:
- What the issue is — a plain-English explanation
- Why it matters — the security risk it represents
- How to fix it — specific remediation steps
Most security header issues can be addressed in your Shopify theme settings or through your theme's theme.liquid file. Cassian Shield™ notes which findings are within your control and which are managed at a platform level.
Shopify manages certain server-level security configurations on your behalf. If a finding notes that it is "platform-managed," it means Shopify controls that setting — you can log a support request with Shopify if you believe it's misconfigured.
Frequently Asked Questions
Is Cassian Shield™ safe? Will running a scan affect my store? Yes — completely safe. Cassian Shield™ is passive-only. It analyses what's publicly visible on your store, the same way any browser would. It never sends malicious requests, never accesses backend systems, and never causes any disruption to your store or visitors.
I have a Critical finding. What do I do?
Click the finding in Sidebar → Security. The detail view explains what the vulnerability is, the risk it represents, and the exact steps to fix it. For security headers, this usually means editing your theme's theme.liquid to add the missing header. If you're unsure, contact your theme developer or Shopify support.
Does Cassian Shield™ test for SQL injection or XSS attacks? No. Cassian Shield™ is passive — it identifies configuration issues and vulnerabilities that are visible in normal responses, without sending attack payloads. Active penetration testing (which involves simulated attacks) requires explicit permission and is a different, more specialised engagement.
How often does Cassian Shield™ scan automatically? Scan frequency depends on your plan. Manual scans can be triggered at any time from Sidebar → Security → Run scan.
My store runs on Shopify. Can I even fix security headers?
Some headers can be set via your Shopify theme (in theme.liquid). Shopify controls others at the server level and may update them with platform changes. Cassian Shield™ identifies which headers are in your control and which are platform-managed.
I fixed a finding. When will it be marked as resolved? Trigger a manual scan after making your fix. If the issue is no longer detected, it will be marked as resolved automatically. Resolved findings are archived and no longer shown in the active findings list.
A finding says my TLS protocol version is outdated. Can I fix this? TLS protocol configuration is typically managed by Shopify at the server level, not something store owners control directly. Cassian Shield™ will note this as platform-managed. Shopify's infrastructure supports TLS 1.2 and 1.3 — if you see an older protocol flagged, it may be a caching artefact from the scan. Re-scan to confirm.
Will security issues affect my Cassian Score™? Not directly — security findings are tracked separately from the Cassian Score™ Technical Health category. However, severe unresolved security issues are surfaced in the Issues panel on the main dashboard and flagged as priority items.