What SecurityHeaders.com Does
SecurityHeaders.com, created by Scott Helme, is one of the most popular free tools for analyzing HTTP security headers on any website. You enter a URL, it fetches the response headers, and it gives you a letter grade from A+ to F.
It's fast, simple, and widely trusted — security professionals, developers, and DevOps engineers have used it for years to quickly check whether a site has its headers in order.
The tool specifically examines these headers:
- Strict-Transport-Security (HSTS) — Forces HTTPS connections
- Content-Security-Policy (CSP) — Controls which resources the browser can load
- X-Content-Type-Options — Prevents MIME-type sniffing
- X-Frame-Options — Blocks clickjacking via iframes
- Referrer-Policy — Controls how much referrer information is shared
- Permissions-Policy — Restricts access to browser APIs like camera and microphone
That's it. Six headers, one grade. It does this one job very well.
What Score Does It Give You?
SecurityHeaders.com assigns a letter grade based on which headers are present and correctly configured:
| Grade | Meaning |
|---|---|
| A+ | All recommended headers present with strong values |
| A | All key headers present |
| B | Most headers present, one or two missing |
| C | Several headers missing |
| D | Only basic headers present |
| F | Critical headers missing |
An A+ on SecurityHeaders.com means your HTTP response headers are well configured. It does not mean your website is secure. This is a critical distinction that many people miss.
What SecurityHeaders.com Doesn't Check
Here's where things get important. SecurityHeaders.com focuses exclusively on HTTP response headers. It doesn't evaluate:
### SSL/TLS Configuration Your SSL certificate could be expired, using weak cipher suites, or running on TLS 1.0 (which has known vulnerabilities). SecurityHeaders.com won't tell you any of this.
### Cookie Security
Session cookies without the Secure, HttpOnly, or SameSite flags are a common attack vector. A site can get an A+ on SecurityHeaders.com while serving cookies that are vulnerable to theft.
### Mixed Content If your HTTPS page loads images, scripts, or stylesheets over plain HTTP, browsers may block them or show warnings. This isn't covered by a header scan.
### DNS Security SPF, DKIM, and DMARC records protect your domain from email spoofing. DNSSEC prevents DNS cache poisoning. None of this shows up in a header check.
### Information Disclosure
Server version headers, exposed .git directories, debug pages, and technology fingerprints can give attackers a roadmap. SecurityHeaders.com doesn't look for these.
### Content Security Inline scripts, eval() usage, and third-party resource loading patterns that create XSS risks aren't analyzed.
### Performance and Accessibility Security isn't just about preventing attacks — a slow site with poor accessibility also impacts user trust and SEO rankings.
Why You Need More Than a Header Scanner
Think of your website's security like a house inspection. SecurityHeaders.com checks whether the locks on your doors are good quality. That's important, but a proper inspection also checks the foundation, the wiring, the roof, and the smoke detectors.
A comprehensive security assessment should cover at minimum:
- 1TLS/SSL configuration — Certificate validity, protocol versions, cipher strength
- 2HTTP security headers — The six headers SecurityHeaders.com checks, plus others
- 3Cookie security — Proper flags on all cookies
- 4Content security — Mixed content, CSP effectiveness, inline script risks
- 5DNS & email security — SPF, DKIM, DMARC, DNSSEC
- 6Information disclosure — Server fingerprinting, exposed files
- 7Privacy practices — Tracking scripts, referrer leakage
- 8Best practices — robots.txt, sitemap, security.txt
A header-only check gives you a false sense of security. You might have perfect headers but a misconfigured SSL certificate, or cookies that leak session tokens.
ZeriFlow vs SecurityHeaders.com (Feature Comparison Table)
| Feature | SecurityHeaders.com | ZeriFlow |
|---|---|---|
| HTTP security headers | 6 headers checked | 11+ headers checked |
| SSL/TLS analysis | No | Full analysis (certificate, protocols, ciphers) |
| Cookie security | No | Yes (Secure, HttpOnly, SameSite flags) |
| Mixed content detection | No | Yes |
| DNS security (SPF/DKIM/DMARC) | No | Yes |
| DNSSEC verification | No | Yes |
| Information disclosure | No | Yes (server fingerprinting, exposed files) |
| Content security analysis | No | Yes (inline scripts, CSP effectiveness) |
| Privacy checks | No | Yes (tracking, referrer leakage) |
| Performance metrics | No | Yes (via Lighthouse integration) |
| Score type | Letter grade (A+ to F) | Numerical score (/100) |
| Actionable recommendations | Limited | Detailed fix instructions per check |
| Scan history | No | Yes (track progress over time) |
| Price | Free | Free tier available |
Which Tool Is Right for You?
Use SecurityHeaders.com when: - You need a quick header check during development - You want to verify a specific header is being served - You're debugging a CSP or HSTS configuration
Use a full scanner like ZeriFlow when: - You want to know your actual security posture - You're preparing for a client delivery or audit - You need actionable recommendations across all security areas - You want to track your security improvements over time
The two tools aren't competitors — they serve different purposes. SecurityHeaders.com is a focused tool for one specific aspect of web security. ZeriFlow provides the complete picture.
Get a Full Security Scan Free
If you've only been checking your headers, you're only seeing about 15% of your security posture. The other 85% — SSL configuration, cookie security, DNS setup, information disclosure, and more — requires a broader scan.
ZeriFlow scans your website across 12+ security categories in under 60 seconds and gives you a score out of 100 with specific, actionable recommendations for every issue found.
Start with the free plan — no credit card required. Enter your URL and see what SecurityHeaders.com isn't telling you about your website's security.