SecurityScorecard only crawls the entry point (root page) of each domain and subdomain. It does not follow links to subordinate pages. This means:
| URL | Crawled? |
| www.acme.com | Yes — root of an apex domain |
| mail.acme.com | Yes — root of a subdomain, crawled separately |
| www.acme.com/about | No — a subpage under the root, not crawled |
Because of this, the finding will only be detected if the Content-Security-Policy header or <meta> tag on the entry point page contains 'unsafe-inline' or 'unsafe-eval'. If the unsafe directive only appears on a subpage, no finding will be generated.
If a previously detected finding has disappeared, it may have aged out. Findings are removed after 45 days with no new observations.