diff --git a/README.md b/README.md
index ca92a97..79ac2ad 100644
--- a/README.md
+++ b/README.md
@@ -9,30 +9,26 @@ Deep TLS / certificate analysis is intentionally **delegated to
 [checker-tls](https://git.happydns.org/checker-tls)** - this checker only
 relies on TLS for transport.
 
-## Rules
+## What it checks
 
-| Code                          | Description                                                                                                       | Severity            |
-|-------------------------------|-------------------------------------------------------------------------------------------------------------------|---------------------|
-| `http.tcp_reachable`          | Verifies that every probed IP accepts an HTTP connection on the standard port.                                    | CRITICAL            |
-| `https.tcp_reachable`         | Verifies that every probed IP accepts an HTTPS connection on the standard port.                                   | CRITICAL            |
-| `http.https_redirect`         | Plain HTTP responses must redirect to an HTTPS URL on the same host.                                              | WARNING             |
-| `http.redirect_chain`         | Inspects the redirect chain (RFC 9110 §15.4) for loops, excessive length, and scheme downgrades.                  | WARNING             |
-| `http.redirect_permanence`    | HTTP→HTTPS upgrade should use 301 or 308 (permanent) rather than 302/307 (temporary).                             | WARNING             |
-| `http.hsts`                   | Verifies the presence and quality of the Strict-Transport-Security header on HTTPS responses.                     | WARNING             |
-| `http.csp`                    | Verifies the presence and quality of the Content-Security-Policy header on HTTPS responses.                       | WARNING             |
-| `http.x_frame_options`        | Verifies that responses set X-Frame-Options or a CSP frame-ancestors directive.                                   | WARNING             |
-| `http.x_content_type_options` | Verifies that responses set X-Content-Type-Options: nosniff.                                                      | WARNING             |
-| `http.x_xss_protection`       | Reports the value of the legacy X-XSS-Protection header (disabled is preferred; CSP is the proper replacement).   | INFO                |
-| `http.referrer_policy`        | Verifies that responses set a Referrer-Policy header with a privacy-preserving value.                             | WARNING             |
-| `http.permissions_policy`     | Verifies that the Permissions-Policy header restricts powerful APIs (camera, microphone, geolocation, …).         | WARNING             |
-| `http.coop`                   | Verifies the Cross-Origin-Opener-Policy (COOP) header for cross-origin process isolation.                         | WARNING             |
-| `http.coep`                   | Verifies the Cross-Origin-Embedder-Policy (COEP) header, required (with COOP) to enable cross-origin isolation.   | WARNING             |
-| `http.corp`                   | Verifies the Cross-Origin-Resource-Policy (CORP) header restricts cross-origin/cross-site embedding of responses. | WARNING             |
-| `http.cookie_flags`           | Verifies that cookies set over HTTPS use the Secure, HttpOnly and SameSite attributes.                            | WARNING             |
-| `http.cookie_prefixes`        | Verifies cookies using the __Secure- / __Host- name prefixes meet the RFC 6265bis constraints.                    | WARNING             |
-| `http.cookie_size`            | Flags cookies whose Set-Cookie line exceeds the 4096-byte minimum browsers must support (RFC 6265 §6.1).          | WARNING             |
-| `http.sri`                    | Reports cross-origin script and stylesheet tags that are missing Subresource Integrity (integrity=) attributes.   | WARNING             |
-| `http.security_txt`           | Reports whether /.well-known/security.txt (RFC 9116) is published.                                                | WARNING             |
+| Rule                              | What it verifies                                                                  |
+| --------------------------------- | --------------------------------------------------------------------------------- |
+| `http.tcp_reachable`              | Port 80 accepts connections on every A/AAAA address.                              |
+| `https.tcp_reachable`             | Port 443 accepts connections on every A/AAAA address.                             |
+| `http.https_redirect`             | Plain HTTP redirects to HTTPS (warning if not).                                   |
+| `http.hsts`                       | `Strict-Transport-Security` is present with a sufficient `max-age`.               |
+| `http.csp`                        | `Content-Security-Policy` is set; flags `'unsafe-inline'` / `'unsafe-eval'`.      |
+| `http.x_frame_options`            | `X-Frame-Options` or CSP `frame-ancestors` provides clickjacking protection.      |
+| `http.x_content_type_options`     | `X-Content-Type-Options: nosniff` is set.                                         |
+| `http.x_xss_protection`           | Reports the legacy `X-XSS-Protection` header (recommendation: disable).           |
+| `http.referrer_policy`            | `Referrer-Policy` is set to a privacy-preserving value (W3C Referrer Policy).     |
+| `http.permissions_policy`         | `Permissions-Policy` is set (W3C Permissions Policy, replaces Feature-Policy).    |
+| `http.coop`                       | `Cross-Origin-Opener-Policy` isolates the document from cross-origin windows.     |
+| `http.coep`                       | `Cross-Origin-Embedder-Policy` requires CORP/CORS opt-in for embedded resources.  |
+| `http.corp`                       | `Cross-Origin-Resource-Policy` restricts cross-origin embedding of responses.     |
+| `http.cookie_flags`               | Every Set-Cookie has `Secure`, `HttpOnly`, and a `SameSite` attribute.            |
+| `http.sri`                        | Cross-origin `<script>`/`<link>` tags carry `integrity=` (Subresource Integrity). |
+| `http.security_txt`               | `/.well-known/security.txt` is published (RFC 9116).                              |
 
 ## Options
 
diff --git a/checker/collect.go b/checker/collect.go
index 7e1f4b5..153ab32 100644
--- a/checker/collect.go
+++ b/checker/collect.go
@@ -21,7 +21,6 @@ import (
 	"time"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
-	happydns "git.happydns.org/happyDomain/model"
 	"golang.org/x/net/html"
 )
 
@@ -144,22 +143,7 @@ func buildTarget(ctx context.Context, opts sdk.CheckerOptions) (Target, error) {
 		userAgent = v
 	}
 
-	// Origin is the FQDN where the service is mounted: svc.Domain holds the
-	// subdomain (relative to apex; "@" for apex), and the domain_name
-	// autofill carries the zone apex.
-	apex := ""
-	if v, ok := sdk.GetOption[string](opts, OptionDomainName); ok {
-		apex = strings.TrimSuffix(v, ".")
-	}
-	subdomain := ""
-	if svc, ok := sdk.GetOption[happydns.ServiceMessage](opts, OptionService); ok {
-		subdomain = strings.TrimSuffix(svc.Domain, ".")
-	}
-	origin := sdk.JoinRelative(subdomain, apex)
-	host, ips := addressesFromServer(server, origin)
-	if host == "" {
-		host = origin
-	}
+	host, ips := addressesFromServer(server)
 	// abstract.Server only pins one A and one AAAA. Resolve the host to
 	// pick up any additional records the authoritative DNS exposes, so
 	// multi-IP deployments aren't silently under-probed. Failures are
diff --git a/checker/definition.go b/checker/definition.go
index 0aeaffa..74b1a3f 100644
--- a/checker/definition.go
+++ b/checker/definition.go
@@ -82,12 +82,6 @@ func (p *httpProvider) Definition() *sdk.CheckerDefinition {
 					AutoFill: sdk.AutoFillService,
 					Hide:     true,
 				},
-				{
-					Id:       OptionDomainName,
-					Label:    "Parent domain name",
-					AutoFill: sdk.AutoFillDomainName,
-					Hide:     true,
-				},
 			},
 		},
 		Rules: Rules(),
diff --git a/checker/provider_test.go b/checker/provider_test.go
index 86a5bf0..feb9f0c 100644
--- a/checker/provider_test.go
+++ b/checker/provider_test.go
@@ -227,7 +227,7 @@ func TestAddressesFromServer(t *testing.T) {
 	}
 	for _, c := range cases {
 		t.Run(c.name, func(t *testing.T) {
-			host, ips := addressesFromServer(c.srv, "")
+			host, ips := addressesFromServer(c.srv)
 			if host != c.wantHost {
 				t.Errorf("host = %q, want %q", host, c.wantHost)
 			}
diff --git a/checker/service.go b/checker/service.go
index 0ec5c87..f4fbb9c 100644
--- a/checker/service.go
+++ b/checker/service.go
@@ -9,6 +9,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"strings"
 
 	sdk "git.happydns.org/checker-sdk-go/checker"
 	happydns "git.happydns.org/happyDomain/model"
@@ -35,17 +36,15 @@ func resolveServer(opts sdk.CheckerOptions) (*abstract.Server, error) {
 	return &server, nil
 }
 
-// addressesFromServer returns the (host, ips) tuple to probe. origin is
-// the service's parent zone; the A/AAAA Hdr.Name is relative to it as
-// happyDomain encodes service owners, so we must join before using as FQDN.
-func addressesFromServer(server *abstract.Server, origin string) (host string, ips []string) {
+// addressesFromServer returns the (host, ips) tuple to probe.
+func addressesFromServer(server *abstract.Server) (host string, ips []string) {
 	if server.A != nil && len(server.A.A) > 0 {
-		host = sdk.JoinRelative(server.A.Hdr.Name, origin)
+		host = strings.TrimSuffix(server.A.Hdr.Name, ".")
 		ips = append(ips, server.A.A.String())
 	}
 	if server.AAAA != nil && len(server.AAAA.AAAA) > 0 {
 		if host == "" {
-			host = sdk.JoinRelative(server.AAAA.Hdr.Name, origin)
+			host = strings.TrimSuffix(server.AAAA.Hdr.Name, ".")
 		}
 		ips = append(ips, server.AAAA.AAAA.String())
 	}
diff --git a/checker/types.go b/checker/types.go
index 142c653..2c11eac 100644
--- a/checker/types.go
+++ b/checker/types.go
@@ -24,7 +24,6 @@ const ObservationKeyHTTP = "http"
 
 const (
 	OptionService           = "service"
-	OptionDomainName        = "domain_name"
 	OptionProbeTimeoutMs    = "probeTimeoutMs"
 	OptionMaxRedirects      = "maxRedirects"
 	OptionUserAgent         = "userAgent"