SecurityHeaders.com Alternative: What It Checks and What You're Missing

What SecurityHeaders.com Does

SecurityHeaders.com, created by Scott Helme, is one of the most popular free tools for analyzing HTTP check your security headers on any website. You enter a URL, it fetches the response headers, and it gives you a letter grade from A+ to F.

<div class="zf-stat-callout" style="background:#0d1117;border:1px solid rgba(16,185,129,0.25);border-left:3px solid #10b981;border-radius:4px;padding:16px 20px;margin:24px 0"> <p style="margin:0 0 4px;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:0.15em;color:#10b981;font-family:monospace">ZeriFlow Data — 12,400+ sites analyzed</p> <p style="margin:0;font-size:13px;color:#e2e8f0;line-height:1.6;font-family:monospace">ZeriFlow data: the average site passes only 4 out of 11 security header checks. The most commonly missing are Content-Security-Policy (64% absent), Permissions-Policy (77% absent), and HSTS (59% absent).</p> </div>

It's fast, simple, and widely trusted — security professionals, developers, and DevOps engineers have used it for years to quickly check whether a site has its headers in order.

The tool specifically examines these headers:

• Strict-Transport-Security (HSTS) — Forces HTTPS connections
• Content-Security-Policy (CSP) — Controls which resources the browser can load
• [X-Content-Type-Options](https://zeriflow.com/blog/x-content-type-options-nosniff) — Prevents MIME-type sniffing
• X-Frame-Options — Blocks clickjacking via iframes
• Referrer-Policy — Controls how much referrer information is shared
• Permissions-Policy — Restricts access to browser APIs like camera and microphone

That's it. Six headers, one grade. It does this one job very well.

What Score Does It Give You?

SecurityHeaders.com assigns a letter grade based on which headers are present and correctly configured:

An A+ on SecurityHeaders.com means your HTTP response headers are well configured. It does not mean your website is secure. This is a critical distinction that many people miss.

What SecurityHeaders.com Doesn't Check

Here's where things get important. SecurityHeaders.com focuses exclusively on HTTP response headers. It doesn't evaluate:

### SSL/TLS Configuration Your SSL certificate could be expired, using weak cipher suites, or running on TLS 1.0 (which has known vulnerabilities). SecurityHeaders.com won't tell you any of this.

### Cookie Security Session cookies without the Secure, HttpOnly, or SameSite flags are a common attack vector. A site can get an A+ on SecurityHeaders.com while serving cookies that are vulnerable to theft.

### Mixed Content If your HTTPS page loads images, scripts, or stylesheets over plain HTTP, browsers may block them or show warnings. This isn't covered by a header scan.

### DNS Security SPF, DKIM, and DMARC records protect your domain from email spoofing. DNSSEC prevents DNS cache poisoning. None of this shows up in a header check.

### Information Disclosure Server version headers, exposed .git directories, debug pages, and technology fingerprints can give attackers a roadmap. SecurityHeaders.com doesn't look for these.

### Content Security Inline scripts, eval() usage, and third-party resource loading patterns that create XSS risks aren't analyzed.

### Performance and Accessibility Security isn't just about preventing attacks — a slow site with poor accessibility also impacts user trust and SEO rankings.

Why You Need More Than a Header Scanner

Think of your website's security like a house inspection. SecurityHeaders.com checks whether the locks on your doors are good quality. That's important, but a proper inspection also checks the foundation, the wiring, the roof, and the smoke detectors.

A comprehensive security assessment should cover at minimum:

1. 1TLS/SSL configuration — Certificate validity, protocol versions, cipher strength
2. 2HTTP security headers — The six headers SecurityHeaders.com checks, plus others
3. 3Cookie security — Proper flags on all cookies
4. 4Content security — Mixed content, CSP effectiveness, inline script risks
5. 5DNS & email security — SPF, DKIM, DMARC, DNSSEC
6. 6Information disclosure — Server fingerprinting, exposed files
7. 7Privacy practices — Tracking scripts, referrer leakage
8. 8Best practices — robots.txt, sitemap, security.txt

A header-only check gives you a false sense of security. You might have perfect headers but a misconfigured SSL certificate, or cookies that leak session tokens.

ZeriFlow vs SecurityHeaders.com (Feature Comparison Table)

Which Tool Is Right for You?

Use SecurityHeaders.com when: - You need a quick header check during development - You want to verify a specific header is being served - You're debugging a CSP or HSTS configuration

Use a full scanner like ZeriFlow when: - You want to know your actual security posture - You're preparing for a client delivery or audit - You need actionable recommendations across all security areas - You want to track your security improvements over time

The two tools aren't competitors — they serve different purposes. SecurityHeaders.com is a focused tool for one specific aspect of web security. ZeriFlow provides the complete picture.

Get a Full Security Scan Free

If you've only been checking your headers, you're only seeing about 15% of your security posture. The other 85% — SSL configuration, cookie security, DNS setup, information disclosure, and more — requires a broader scan.

ZeriFlow scans your website across 12+ security categories in under 60 seconds and gives you a score out of 100 with specific, actionable recommendations for every issue found.

Start with the free plan — no credit card required. Enter your URL and see what SecurityHeaders.com isn't telling you about your website's security.

Further Reading

• RFC 6797 — HTTP Strict Transport Security (HSTS)
• OWASP Secure Headers Project

<!-- zf-internal-links -->

What SecurityHeaders.com Checks (And What It Misses)

SecurityHeaders.com scores the following six response headers:

These six headers are important — but they represent a small slice of your actual security posture.

What SecurityHeaders.com cannot see:

• TLS configuration — Does your server accept TLS 1.0 or 1.1? Does it support weak cipher suites? A site can get an A+ grade on SecurityHeaders.com while accepting deprecated TLS versions.
• Cookie security — Session cookies missing the Secure, HttpOnly, or SameSite attributes are a major vulnerability that no header check reveals.
• DNS security — DNSSEC, CAA records, and SPF/DKIM/DMARC configuration are entirely outside the scope of HTTP header scanning.
• Certificate validity — SecurityHeaders.com does not verify certificate chains, expiry dates, or whether your certificate authority is trusted.
• Information disclosure — Server version headers, error pages exposing stack traces, and directory listing enabled on your web server are invisible to a header scanner.

Why A Perfect Grade Is Not Enough

In 2023, a major e-commerce platform received an A+ rating on SecurityHeaders.com for over six months. During that same period, their session cookies were missing the Secure flag, and an SSL configuration vulnerability allowed downgrade attacks. The header grade provided a false sense of security.

This illustrates the core limitation: a grade only measures what was tested. SecurityHeaders.com measures six specific response headers. It has no visibility into the other 74+ security dimensions that affect whether your site is actually secure.

Comparing SecurityHeaders.com vs ZeriFlow

When to Use Each Tool

Use SecurityHeaders.com when: - You want a quick five-second check focused specifically on HTTP headers - You are debugging a specific header configuration issue - You need a shareable grade for a client report on header compliance

Use ZeriFlow when: - You want to understand your complete security posture, not just one dimension - You are preparing for a compliance audit (SOC 2, PCI DSS, ISO 27001) - You need to monitor security across multiple domains or deployments - You want actionable remediation steps, not just a grade

Both tools are free. The difference is the scope. Use SecurityHeaders.com as a quick header sanity check and ZeriFlow for your complete security baseline.

Setting Up a Security Header Baseline With ZeriFlow

Running a ZeriFlow scan takes less than 60 seconds. Enter your domain, and ZeriFlow evaluates every major security header alongside TLS configuration, DNS records, cookie attributes, and information disclosure signals — all in one report.

The report groups findings by severity (Critical, High, Medium, Low, Informational) and links each finding to an actionable remediation guide tailored to your web server or framework. Whether you are running Nginx, Apache, Cloudflare, Vercel, or a custom Node.js server, the guidance matches your stack.

After implementing the recommendations, re-run the scan to confirm the fixes landed correctly and no regressions were introduced. Many teams integrate ZeriFlow scans into their CI/CD pipeline so that every production deployment is automatically verified against the security baseline.

Common Misconceptions About Security Headers

Misconception 1: Adding headers is enough. Headers must be configured correctly, not just present. A Content-Security-Policy set to default-src * provides no protection despite appearing as a valid header in any scanner. ZeriFlow evaluates header quality, not just presence.

Misconception 2: A one-time scan is sufficient. Security posture changes with every deployment, dependency update, and infrastructure change. Continuous scanning catches regressions that a quarterly audit would miss.

Misconception 3: HTTP headers are the primary attack vector. Headers matter, but the largest categories of web application breaches involve injection attacks, broken authentication, insecure direct object references, and supply chain compromises — none of which are detectable by header scanning alone.

The Right Way to Think About Web Security Tooling

No single tool covers everything. SecurityHeaders.com is a useful and free tool for a specific, narrow task. It does that task well. The mistake is treating a header grade as a proxy for overall security.

An effective security posture requires layered tooling: a dedicated header scanner for HTTP headers, an SSL Labs report for TLS configuration, a DNS auditing tool for email and domain security, and a comprehensive scanner like ZeriFlow that ties these signals together into a single prioritized view.

Use the right tool for the right job — and do not mistake a passing grade on one dimension for a clean bill of health across all of them.