Where Mozilla Observatory stops and SiteSecurityScore takes over
Mozilla HTTP Observatory is a free security header and config scanning tool from Mozilla. It evaluates HTTP headers, checks for HTTPS redirects, and scores cookie flags, then maps the result to a letter grade and a numeric score out of 100 or higher.
SiteSecurityScore is everything you need for the configuration layer in one scan. It is free, instant, and needs no account, and it is purpose built for the layer attackers probe first. A single scan analyzes security headers, runs deep CSP analysis, and inspects TLS, DNS, cookies, CORS, and security.txt, then returns a clear letter grade with copy and paste fixes in seconds. Free continuous daily monitoring with email alerts, a REST API, a Chrome extension for authenticated pages, free header generator tools, and an MCP connector for Claude Code and ChatGPT Codex round out a platform built to grade and fix your posture fast. This is the layer you should never skip.
Feature comparison
Security Headers
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| Content Security Policy | ||
| Strict Transport Security | ||
| X-Frame-Options | ||
| X-Content-Type-Options | ||
| Referrer-Policy | ||
| Permissions-Policy |
Beyond Headers
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| TLS/SSL configuration analysis | ||
| DNS security (SPF, DKIM, DMARC) | ||
| Cookie security attributes | Basic | |
| Deep CSP policy breakdown | Partial | |
| CORS header analysis |
Features
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| Letter grade scoring (A+ to F) | ||
| Actionable fix recommendations | ||
| PDF report generation | ||
| REST API for automation | ||
| Browser extension (authenticated pages) | ||
| Free header generator tools | ||
| Continuous monitoring | ||
| Dark mode |
What SiteSecurityScore checks beyond headers
TLS/SSL configuration
Protocol version, cipher suites, certificate validity, and HSTS preload status. Know whether your encryption setup meets current best practices.
DNS security records
SPF, DKIM, and DMARC record analysis. Find gaps in your email authentication before attackers exploit them for phishing.
Cookie security audit
HttpOnly, Secure, SameSite, Path, Domain, and prefix checks for every cookie. Spot session hijacking and CSRF risks instantly.
Deep CSP analysis
Directive-by-directive breakdown of your Content Security Policy. Identifies unsafe-inline, overly broad wildcards, and missing directives.
PDF security reports
Download a professional, shareable report with your full scan results, letter grade, and prioritized recommendations.
Daily monitoring
Track your security posture over time with automated daily scans. Get notified when headers change or your score drops.
How scoring compares
Mozilla Observatory
Observatory uses a point system where sites start at 0 and earn or lose points based on individual checks. It can score above 100 with bonus points for extra measures like CSP with strict-dynamic or Subresource Integrity. The final number maps to a letter grade from A+ down to F.
SiteSecurityScore
SiteSecurityScore uses a weighted model across the full configuration layer, spanning HTTP headers, deep CSP analysis, TLS configuration, DNS security, cookies, and CORS. The result is a clean 0 to 100 score with a corresponding letter grade from A+ to F, paired with copy and paste fixes in seconds. Each category contributes proportionally, so you see exactly where to improve and how to fix it.
Free security header generators
Knowing which headers are missing is only half the job. You also need correct values. SiteSecurityScore includes free generator tools that produce copy-paste configurations for your web server.
Scan pages behind login walls
Chrome Extension
Server-side scanners (including Mozilla Observatory) can only reach publicly accessible URLs. The SiteSecurityScore browser extension captures real response headers from your authenticated sessions. Scan admin panels, internal dashboards, and staging environments with one click.
Try a free scan right now
Enter any URL and get a full security analysis covering headers, CSP, TLS, DNS, and cookies. No account required.
Start scanningFrequently asked questions
Is SiteSecurityScore a free alternative to Mozilla Observatory?
Yes, and it is the fastest way to grade and fix your security posture. SiteSecurityScore is free, instant, and needs no account. One scan covers HTTP headers, deep CSP analysis, TLS, DNS, cookies, CORS, and security.txt, then returns a letter grade with copy and paste fixes in seconds, plus free continuous daily monitoring with email alerts.
What does SiteSecurityScore check that Mozilla Observatory does not?
SiteSecurityScore is purpose built for the configuration layer attackers probe first. It analyzes TLS and SSL configuration, DNS security records (SPF, DKIM, DMARC), detailed cookie security attributes, CORS headers, Permissions-Policy, and security.txt, and runs deep CSP analysis. It delivers copy and paste fixes in seconds, downloadable PDF reports, free continuous daily monitoring with email alerts, a REST API, a Chrome extension for authenticated pages, free header generator tools, and an MCP connector for Claude Code and ChatGPT Codex.
Is Mozilla Observatory still maintained?
Mozilla Observatory received a major rewrite and relaunched in 2024. However, the new version removed the public API that many teams relied on for automated scanning. The web interface is still available, but teams that need API access or features beyond basic header checks may need to look elsewhere.
Does SiteSecurityScore have an API?
Yes. SiteSecurityScore provides a REST API that returns structured JSON results for automated security scanning, CI/CD pipeline integration, and compliance workflows. It also ships an MCP connector for Claude Code and ChatGPT Codex so agents can scan and fix directly. API keys are available through your account dashboard with up to five active keys.
Can SiteSecurityScore scan pages behind a login?
Yes. The SiteSecurityScore Chrome extension captures real response headers from your authenticated browser sessions, letting you scan dashboards, admin panels, and internal tools that server-side scanners cannot reach.