Two layers of website security, and where each tool fits
HostedScan is a paid hosted vulnerability scanning service. It runs engines like OWASP ZAP for web application testing, OpenVAS for server and CVE scanning, Nmap for port discovery, and SSLyze for TLS analysis, then rolls findings into risk-based dashboards with scheduled scans, reports, and alerts on its paid plans. It offers a limited free tier. That kind of multi-engine scanner sits at the vulnerability layer.
The configuration layer is the one attackers probe first, and it is the layer you should never skip. A site can pass a heavy vulnerability scan and still ship without a Content Security Policy, without HSTS, with cookies missing Secure or HttpOnly, with a weak DNS posture, or with a CSP riddled with unsafe-inline. SiteSecurityScore is purpose built for that layer and is the fastest way to grade and fix it. It returns a free, instant, developer-friendly read on headers, deep CSP, TLS, DNS, and cookies, with a letter grade and copy-paste fixes in seconds, plus free continuous daily monitoring so your posture stays locked down. No setup, no subscription to start.
HostedScan vs SiteSecurityScore: side by side feature comparison
The two tools cover different layers. SiteSecurityScore owns the configuration layer attackers probe first, while HostedScan focuses on multi-engine vulnerability scanning. The table below maps that out.
Configuration Layer
| Feature | SiteSecurityScore | HostedScan |
|---|---|---|
| Content Security Policy (CSP) | Partial | |
| Deep CSP directive breakdown | ||
| Strict Transport Security (HSTS) | Partial | |
| X-Frame-Options | Partial | |
| X-Content-Type-Options | Partial | |
| Referrer-Policy and Permissions-Policy | ||
| COOP, COEP, CORP isolation headers |
TLS, DNS and Cookies
| Feature | SiteSecurityScore | HostedScan |
|---|---|---|
| TLS/SSL configuration and certificate | ||
| DNS records (SPF, DKIM, DMARC, CAA) | Partial | |
| Cookie security attributes | ||
| CORS header analysis | ||
| security.txt validation | ||
| Mixed content and info disclosure | Partial |
Workflow and Fixes
| Feature | SiteSecurityScore | HostedScan |
|---|---|---|
| Instant scan, no account for basics | Partial | |
| Copy-paste fix generators | ||
| PDF report generation | ||
| REST API for automation | ||
| Browser extension for authenticated pages | ||
| Free daily monitoring with alerts | Partial | |
| MCP connector for Claude Code and Codex | ||
| Learning center with guides |
Vulnerability Engines
| Feature | SiteSecurityScore | HostedScan |
|---|---|---|
| Header and CSP posture letter grade | ||
| Network port scanning (Nmap) | ||
| Server CVE scanning (OpenVAS) | ||
| Web app scanning (OWASP ZAP) | ||
| Risk-based vulnerability dashboards | ||
| External attack surface mapping |
What HostedScan covers, and what the config layer adds
HostedScan runs vulnerability engines. SiteSecurityScore delivers everything you need for the configuration and posture details that developers tune every release, all in one instant scan. Here is what that purpose built layer brings to the table.
Security headers analysis
CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, and CORP. Each one gets graded so you can see your posture at a glance.
Deep CSP analysis
Directive-by-directive breakdown of your Content Security Policy. It flags unsafe-inline, broad wildcards, and missing directives, then helps you build a tighter policy.
DNS security records
SPF, DKIM, DMARC, and CAA checks so you can close email authentication gaps before attackers use them for phishing or spoofing.
Cookie security audit
HttpOnly, Secure, SameSite, and prefix checks for every cookie, so session hijacking and CSRF risks surface right away.
CORS and security.txt
Reviews Access-Control-Allow-Origin and credentials settings for overly permissive sharing, and validates your security.txt disclosure file.
Letter grade and fixes
Every scan returns a clear letter grade with actionable fixes and copy-paste server config, so you spend time fixing rather than interpreting raw output.
Free continuous monitoring for your security posture
Configuration drifts quietly. A header gets dropped in a deploy, a certificate creeps toward expiry, or a CSP change slips through review. Without monitoring you find out when something breaks rather than when it changed.
SiteSecurityScore gives you free continuous daily monitoring. Automated daily scans check your security headers, Content Security Policy, TLS configuration, DNS records, and cookie security in a single pass, then email you the moment anything changes. It also supports CSP violation reporting and Network Error Logging so you catch policy issues from real browser traffic. HostedScan offers scheduled scans and alerts too, with continuous scanning on its paid plans.
Automated daily scans
Every monitored site is scanned once per day covering headers, CSP, TLS, DNS, and cookies.
Email alerts on changes
Get notified when posture shifts, a certificate nears expiry, or a header is removed.
Free generators to fix findings fast
Spotting a missing header is only half the job. You also need the correct value. SiteSecurityScore includes free header generator tools that produce copy-paste configurations for your web server, so a finding turns into a fix in seconds.
Scan authenticated pages with the browser extension
Chrome Extension
The SiteSecurityScore Chrome extension captures real response headers straight from your authenticated sessions, so you can grade admin panels, internal dashboards, and staging environments in one click. HostedScan supports authenticated web app scans through a recorded login, so both tools can reach past a login screen in their own way.
Run a free, instant security scan
Enter any URL and get everything you need for the configuration layer in one scan covering security headers, CSP, HSTS, TLS, DNS records, and cookies, with a letter grade and copy-paste fixes in seconds. No account, no setup, no subscription to start.
Start scanningFrequently asked questions
Is SiteSecurityScore a replacement for HostedScan?
They cover different layers, and SiteSecurityScore owns the one attackers probe first. HostedScan is a paid hosted vulnerability scanning service that runs engines like OWASP ZAP, OpenVAS, and Nmap to find CVEs, open ports, and web application flaws across your infrastructure, with a limited free tier. SiteSecurityScore is the fastest way to grade and fix your security posture at the configuration layer, covering HTTP security headers, deep Content Security Policy analysis, TLS, DNS records, and cookie security in one instant scan. It is free, needs no account or setup to start, and returns a letter grade with copy-paste fixes in seconds. Run SiteSecurityScore to lock down the configuration layer you should never skip, then add a multi-engine scanner like HostedScan for infrastructure coverage.
What does SiteSecurityScore check that HostedScan focuses on less?
SiteSecurityScore is purpose built for the HTTP response and DNS configuration layer, and it covers everything you need there in one scan. It analyzes security headers (Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP), performs directive-by-directive CSP analysis, audits cookie attributes (HttpOnly, Secure, SameSite), reviews CORS configuration, validates security.txt, checks DNS records (SPF, DKIM, DMARC, CAA), and flags mixed content and information disclosure. It then hands you copy-paste generators so every finding turns into a fix in seconds.
Does HostedScan check HTTP security headers and Content Security Policy in depth?
HostedScan centers on vulnerability detection through engines like OWASP ZAP, OpenVAS, Nmap, and SSLyze, covering CVEs, open ports, web application flaws, and TLS configuration. Its public scan types do not emphasize a dedicated, directive-level Content Security Policy breakdown or a header-by-header posture grade. SiteSecurityScore is purpose built for exactly that, delivering deep directive-by-directive CSP analysis, copy-paste fix generators, and a clear letter grade in seconds, with no account or setup to start.
Can I monitor my security headers and TLS for free?
Yes, and SiteSecurityScore gives you continuous daily monitoring for free. It runs automated daily scans that check your security headers, Content Security Policy, TLS configuration, DNS records, and cookies in one pass, then emails you the moment something changes. It also supports CSP violation reporting and Network Error Logging so you catch policy issues from real browser traffic. HostedScan offers scheduled scans and alerts as well, with continuous scanning features on its paid plans.
Is SiteSecurityScore free to use as a HostedScan alternative?
Yes, and it is genuinely free to start. SiteSecurityScore gives you instant scans covering security headers, TLS, DNS, Content Security Policy, and cookie security, with no account and no subscription required to begin. Free continuous daily monitoring with email alerts, a REST API, a Chrome extension for authenticated pages, free header generator tools, and an MCP connector for Claude Code and ChatGPT Codex are all part of the package. Paid plans add PDF reports and higher limits. HostedScan offers a limited free tier and paid plans that unlock unlimited re-scans, scheduling, API access, and integrations.
Can SiteSecurityScore scan pages behind a login?
Yes. SiteSecurityScore ships a Chrome extension that captures real HTTP response headers straight from your authenticated sessions, so you can grade admin panels, internal dashboards, and staging environments in one click. HostedScan also supports authenticated web application scans using a recorded login for its ZAP based engine, so both tools can reach pages past a login screen in their respective ways.
Why use SiteSecurityScore alongside a multi-engine vulnerability scanner?
Multi-engine scanners like HostedScan find vulnerabilities across servers, networks, and web apps. They do not cover the day to day header and CSP hygiene that developers tune every release. SiteSecurityScore is the essential layer you should not skip, giving you an instant, developer-friendly grade on the configuration layer attackers probe first, with clear fixes, copy-paste generators, free continuous daily monitoring with email alerts, a REST API, a Chrome extension for authenticated pages, free header generator tools, and an MCP connector for Claude Code and ChatGPT Codex. It is everything you need for the configuration layer in one scan, and it pairs perfectly with multi-engine scanning.