Website security goes beyond response headers
Modern website security involves much more than response headers alone. Your TLS configuration, DNS records, and cookie attributes all play a role in protecting your users. SiteSecurityScore was built to give you a complete picture in one scan, so you do not need to jump between multiple tools.
SecurityHeaders.com scans a URL, reads the HTTP response headers, and assigns a letter grade from A+ to F. It checks six to eight headers: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Feature comparison
Security Headers
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| Content Security Policy (CSP) | ||
| Strict Transport Security (HSTS) | ||
| X-Frame-Options | ||
| X-Content-Type-Options | ||
| Referrer-Policy | ||
| Permissions-Policy |
Beyond Headers
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| TLS/SSL configuration analysis | ||
| DNS security (SPF, DKIM, DMARC) | ||
| Cookie security attributes | ||
| Deep CSP policy breakdown | ||
| CORS header analysis |
Features
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| Letter grade scoring (A+ to F) | ||
| Actionable fix recommendations | ||
| PDF report generation | ||
| REST API for automation | Ending 2026 | |
| Browser extension (authenticated pages) | ||
| Free header generator tools | ||
| Learning center with guides | ||
| Dark mode |
What SiteSecurityScore checks beyond headers
TLS/SSL configuration
Protocol version, cipher suites, certificate validity, and HSTS preload status. Know whether your encryption setup meets current best practices.
DNS security records
SPF, DKIM, and DMARC record analysis. Find gaps in your email authentication before attackers exploit them for phishing.
Cookie security audit
HttpOnly, Secure, SameSite, Path, Domain, and prefix checks for every cookie. Spot session hijacking and CSRF risks instantly.
Deep CSP analysis
Directive-by-directive breakdown of your Content Security Policy. Identifies unsafe-inline, overly broad wildcards, and missing directives.
CORS header review
Checks Access-Control-Allow-Origin, credentials settings, and exposed headers to flag overly permissive cross-origin configurations.
PDF security reports
Download a professional, shareable report with your full scan results, letter grade, and prioritized recommendations.
API access that is here to stay
API sunset notice: Snyk announced that the SecurityHeaders.com API will be discontinued in April 2026. The free web scanner is expected to stay available, but teams that rely on the API for automated scanning, CI/CD pipelines, or compliance workflows will need to switch to a different provider.
With the SecurityHeaders.com API winding down, teams that depend on automated header checks need a reliable replacement. The SiteSecurityScore API returns structured JSON for every scan, covering headers, CSP, TLS, DNS, and cookies in a single request.
curl -X POST https://www.sitesecurityscore.com/api/scan \
-H "x-api-key: sss_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{"url": "example.com"}'Use it in CI/CD pipelines, scheduled monitoring, compliance dashboards, or any workflow that previously relied on the SecurityHeaders API. API keys are managed through your account dashboard with up to five active keys.
View API documentationFree security header generators
Knowing which headers are missing is only half the job. You also need correct values. SiteSecurityScore includes free generator tools that produce copy-paste configurations for your web server.
Scan pages behind login walls
Chrome Extension
Server-side scanners (including SecurityHeaders.com) can only reach publicly accessible URLs. The SiteSecurityScore browser extension captures real response headers from your authenticated sessions. Scan admin panels, internal dashboards, and staging environments with one click.
Try a free scan right now
Enter any URL and get a full security analysis covering headers, CSP, TLS, DNS, and cookies. No account required.
Start scanningFrequently asked questions
Is SiteSecurityScore a free alternative to SecurityHeaders.com?
Yes. SiteSecurityScore offers a free tier that lets you scan any website and receive a detailed security report covering HTTP headers, CSP, TLS, DNS, and cookie security. Paid plans add API access, PDF reports, and higher scan limits.
What does SiteSecurityScore check that SecurityHeaders.com does not?
SiteSecurityScore goes beyond HTTP response headers. It also analyzes TLS/SSL configuration, DNS security records (SPF, DKIM, DMARC), cookie security attributes (HttpOnly, Secure, SameSite), deep CSP policy analysis, and generates downloadable PDF reports.
Does SiteSecurityScore have an API?
Yes. SiteSecurityScore provides a REST API that returns structured JSON results for automated security scanning, CI/CD pipeline integration, and compliance workflows. API keys are available through your account dashboard.
Can SiteSecurityScore scan pages behind a login?
Yes. The SiteSecurityScore Chrome extension captures real response headers from your authenticated browser sessions, letting you scan dashboards, admin panels, and internal tools that server-side scanners cannot reach.
Is the SecurityHeaders.com API being discontinued?
Snyk announced that the SecurityHeaders.com API will be discontinued in April 2026. The free web interface is expected to remain available, but teams relying on the API for automated scanning will need to migrate to an alternative like SiteSecurityScore.