SecurityHeaders.com vs ZeriFlow: Which Security Scanner Is More Complete?

SecurityHeaders.com vs ZeriFlow: Which Security Scanner Is More Complete?

SecurityHeaders.com has been the default answer for "how do I check my security headers?" for years. It''s fast, free, requires no account, and gives a clear letter grade. For a lot of developers, running a scan on SecurityHeaders.com before launch has become as routine as running Lighthouse.

The question worth asking is: what does that letter grade actually tell you, and what does it miss?

This comparison goes through SecurityHeaders.com honestly — what it does well, what it doesn''t cover, and how ZeriFlow fills those gaps. The goal isn''t to dismiss SecurityHeaders.com, which is genuinely useful for what it does, but to give you a clear picture of what "passing" a header check means for your overall security posture.

What SecurityHeaders.com Checks

SecurityHeaders.com evaluates HTTP response headers and grades them from A+ to F. Specifically, it looks for the presence and correct configuration of:

• Content-Security-Policy (CSP) — controls which resources the browser can load
• X-Content-Type-Options — prevents MIME-type sniffing
• X-Frame-Options — controls whether the page can be embedded in iframes
• Strict-Transport-Security (HSTS) — enforces HTTPS connections
• Referrer-Policy — controls how much referrer information is included with requests
• Permissions-Policy — limits access to browser features (geolocation, camera, etc.)
• Cross-Origin headers (COOP, COEP, CORP) — isolation headers for newer browser security models

That''s a meaningful list. These headers matter, and a lot of websites fail to configure them correctly. Getting an A+ from SecurityHeaders.com is a legitimate signal that you''ve done the header hygiene work.

The Grade Breakdown

The tool also shows which specific headers are missing or misconfigured, with explanations. This is genuinely useful — the explanations are developer-friendly and link to relevant documentation.

Where SecurityHeaders.com Stops

Here is the honest limitation: HTTP security headers are one category of website security. They''re important, but they''re not the whole picture.

A website can score A+ on SecurityHeaders.com and still be critically vulnerable in several ways:

SSL/TLS configuration issues. An expired certificate, a weak cipher suite, missing OCSP stapling, or TLS 1.0/1.1 still enabled — none of these are checked. SecurityHeaders.com confirms that HSTS is present, but not whether your SSL configuration actually supports HSTS correctly end-to-end.

Cookie security attributes. Your session cookie might be missing the Secure, HttpOnly, or SameSite attributes. That''s a vector for session hijacking and CSRF. SecurityHeaders.com doesn''t evaluate cookies.

Mixed content. If your HTTPS page loads resources over HTTP, that''s a mixed content vulnerability. SecurityHeaders.com checks whether HSTS is set, not whether mixed content is actually present on the page.

Open ports and exposed services. If you''re running an admin panel on a non-standard port, or if a development server got deployed accidentally, SecurityHeaders.com won''t find it.

Information disclosure. Server version numbers in response headers, directory listing enabled, debug mode active, sensitive files accessible — these are common findings that header checks don''t cover.

Code-level vulnerabilities. Hardcoded secrets, SQL injection patterns, XSS vulnerabilities in client-side code — outside scope.

No monitoring. SecurityHeaders.com doesn''t watch your site over time. If your CSP header disappears after a deployment, you won''t know until someone else checks — or until something bad happens.

No API. You can''t automate SecurityHeaders.com scans. There''s no way to integrate it into a CI/CD pipeline or run scheduled checks programmatically.

What ZeriFlow Adds

ZeriFlow runs 80+ checks across the full security surface of a website, including everything SecurityHeaders.com checks plus the categories above.

Headers Coverage (Same as SecurityHeaders.com, Plus More)

ZeriFlow checks all the same headers SecurityHeaders.com evaluates: CSP, X-Content-Type-Options, X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP. It also checks additional headers like Server (information disclosure) and X-Powered-By (framework fingerprinting), which SecurityHeaders.com grades but ZeriFlow contextualizes alongside other findings.

What ZeriFlow Covers Beyond Headers

SSL/TLS Analysis: - Certificate validity and expiry (with alerts before expiry) - Certificate chain completeness - Cipher suite strength — weak ciphers like RC4 and 3DES flagged - Protocol version support — TLS 1.0 and 1.1 should be disabled - OCSP stapling status - HSTS preload list status - Certificate Transparency log presence

Cookie Security: - Secure flag — cookie sent only over HTTPS - HttpOnly flag — cookie inaccessible to JavaScript - SameSite attribute — CSRF protection - Cookie path and domain scope analysis

Content and Runtime: - Mixed content detection (HTTP resources on HTTPS pages) - Subresource Integrity (SRI) on external scripts - Information disclosure (server headers, error messages) - Directory listing detection - Common sensitive files exposed (.env, .git, backup files)

Port and Infrastructure: - Common open ports that shouldn''t be public - Admin panel exposure - Development server detection

Code Analysis (Pro tier): - Static analysis of JavaScript for hardcoded secrets - Known vulnerable library versions - Client-side XSS patterns

The /100 Score vs Letter Grade

SecurityHeaders.com gives you a letter grade that covers header quality only. ZeriFlow gives you a /100 score that reflects your overall security posture across all categories.

The practical difference: an A+ from SecurityHeaders.com means your headers are good. A 90/100 from ZeriFlow means your overall security posture is strong. A 45/100 means you have significant gaps somewhere — and the scan tells you exactly where.

Feature Comparison Table

When to Use SecurityHeaders.com

SecurityHeaders.com is still the right tool in specific situations:

• You want a quick check of headers only — for example, verifying that a CSP you just deployed is being served correctly
• You''re sharing results with a non-technical stakeholder who wants a simple grade
• You''re checking a site you don''t own — SecurityHeaders.com requires no account and leaves no trace
• You''re following up on a specific header recommendation from a security audit

It''s a useful, specialized tool. The mistake is treating it as a comprehensive security check.

When to Use ZeriFlow

ZeriFlow is the better choice when you need:

• A complete security picture — headers, SSL, cookies, content, and code together
• A /100 score to communicate security posture to stakeholders or for compliance documentation
• Ongoing monitoring — scheduled scans that alert you when something changes
• CI/CD integration — blocking deployments that introduce security regressions
• A PDF report — for client presentations, audits, or compliance reviews
• API access — automating scans across multiple properties

The free tier covers the full Quick Scan at no cost. The Pro tier at €9.99/mo adds monitoring, API, and code analysis — the features that make ZeriFlow part of a continuous security workflow rather than a one-time check.

The Bottom Line

SecurityHeaders.com does one thing well: it tells you whether your HTTP security headers are configured correctly. If that''s all you need to know, it''s a great free tool and you should keep using it.

But website security is not just about headers. If you want to know whether your SSL configuration is solid, your cookies are properly secured, your site isn''t leaking sensitive information through response headers, and your security posture is holding over time — you need a scanner that covers the full attack surface.

ZeriFlow''s free scan runs the full check in 60 seconds at zeriflow.com/free-scan. Run it alongside a SecurityHeaders.com check and you''ll immediately see how the two pictures differ.