What Mozilla Observatory does well, and where it stops
Mozilla HTTP Observatory is an open source project by Mozilla that checks websites against security best practices. It evaluates HTTP headers, checks for HTTPS redirects, and scores cookie security. It provides a letter grade and a numeric score out of 100 or higher, since bonus points are possible for extra measures.
SiteSecurityScore extends this analysis with TLS configuration checks, DNS security records (SPF, DKIM, DMARC), detailed cookie auditing, PDF reports, and an API for automation. If you need a complete picture of your site's security posture in a single scan, SiteSecurityScore fills the gaps that Observatory leaves open.
Feature comparison
Security Headers
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| Content Security Policy | ||
| Strict Transport Security | ||
| X-Frame-Options | ||
| X-Content-Type-Options | ||
| Referrer-Policy | ||
| Permissions-Policy |
Beyond Headers
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| TLS/SSL configuration analysis | ||
| DNS security (SPF, DKIM, DMARC) | ||
| Cookie security attributes | Basic | |
| Deep CSP policy breakdown | Partial | |
| CORS header analysis |
Features
| Feature | SiteSecurityScore | Observatory |
|---|---|---|
| Letter grade scoring (A+ to F) | ||
| Actionable fix recommendations | ||
| PDF report generation | ||
| REST API for automation | ||
| Browser extension (authenticated pages) | ||
| Free header generator tools | ||
| Continuous monitoring | ||
| Dark mode |
What SiteSecurityScore checks beyond headers
TLS/SSL configuration
Protocol version, cipher suites, certificate validity, and HSTS preload status. Know whether your encryption setup meets current best practices.
DNS security records
SPF, DKIM, and DMARC record analysis. Find gaps in your email authentication before attackers exploit them for phishing.
Cookie security audit
HttpOnly, Secure, SameSite, Path, Domain, and prefix checks for every cookie. Spot session hijacking and CSRF risks instantly.
Deep CSP analysis
Directive-by-directive breakdown of your Content Security Policy. Identifies unsafe-inline, overly broad wildcards, and missing directives.
PDF security reports
Download a professional, shareable report with your full scan results, letter grade, and prioritized recommendations.
Daily monitoring
Track your security posture over time with automated daily scans. Get notified when headers change or your score drops.
How scoring compares
Mozilla Observatory
Observatory uses a point system where sites start at 0 and earn or lose points based on individual checks. It can score above 100 with bonus points for extra measures like CSP with strict-dynamic or Subresource Integrity. The final number maps to a letter grade from A+ down to F.
SiteSecurityScore
SiteSecurityScore uses a weighted model across four categories: HTTP headers, TLS configuration, DNS security, and cookie attributes. The result is a clean 0 to 100 score with a corresponding letter grade from A+ to F. Each category contributes proportionally, so you can see exactly where to improve.
Free security header generators
Knowing which headers are missing is only half the job. You also need correct values. SiteSecurityScore includes free generator tools that produce copy-paste configurations for your web server.
Scan pages behind login walls
Chrome Extension
Server-side scanners (including Mozilla Observatory) can only reach publicly accessible URLs. The SiteSecurityScore browser extension captures real response headers from your authenticated sessions. Scan admin panels, internal dashboards, and staging environments with one click.
Try a free scan right now
Enter any URL and get a full security analysis covering headers, CSP, TLS, DNS, and cookies. No account required.
Start scanningFrequently asked questions
Is SiteSecurityScore a free alternative to Mozilla Observatory?
Yes. SiteSecurityScore offers a free tier that lets you scan any website and receive a detailed security report covering HTTP headers, CSP, TLS, DNS, and cookie security. Paid plans add API access, PDF reports, continuous monitoring, and higher scan limits.
What does SiteSecurityScore check that Mozilla Observatory does not?
SiteSecurityScore goes beyond HTTP headers to analyze TLS/SSL configuration, DNS security records (SPF, DKIM, DMARC), detailed cookie security attributes, CORS headers, and Permissions-Policy. It also provides actionable fix recommendations, downloadable PDF reports, a REST API for automation, a browser extension for scanning authenticated pages, and free header generator tools.
Is Mozilla Observatory still maintained?
Mozilla Observatory received a major rewrite and relaunched in 2024. However, the new version removed the public API that many teams relied on for automated scanning. The web interface is still available, but teams that need API access or features beyond basic header checks may need to look elsewhere.
Does SiteSecurityScore have an API?
Yes. SiteSecurityScore provides a REST API that returns structured JSON results for automated security scanning, CI/CD pipeline integration, and compliance workflows. API keys are available through your account dashboard with up to five active keys.
Can SiteSecurityScore scan pages behind a login?
Yes. The SiteSecurityScore Chrome extension captures real response headers from your authenticated browser sessions, letting you scan dashboards, admin panels, and internal tools that server-side scanners cannot reach.