Everything you need for the configuration layer in one scan
SiteSecurityScore gives you a complete picture of your security posture in a single instant scan. Security headers, deep CSP analysis, TLS configuration, DNS records, cookie attributes, CORS, and security.txt all come back in one report with a letter grade and copy and paste fixes you can ship in seconds. It is free, it needs no account, and it is built for the configuration layer attackers probe first. Free continuous daily monitoring with email alerts, a REST API, a Chrome extension for authenticated pages, free header generator tools, and an MCP connector for Claude Code and ChatGPT Codex round out a tool that goes far beyond a one time check.
SecurityHeaders.com is a free tool that grades HTTP response headers. It reads a URL, checks six to eight headers such as Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy, and assigns a letter grade from A+ to F. It does not look at TLS, DNS, cookies, or your CSP in depth, and it does not monitor your site over time. SiteSecurityScore covers all of that and keeps watching.
Feature comparison
Security Headers
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| Content Security Policy (CSP) | ||
| Strict Transport Security (HSTS) | ||
| X-Frame-Options | ||
| X-Content-Type-Options | ||
| Referrer-Policy | ||
| Permissions-Policy |
Beyond Headers
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| TLS/SSL configuration analysis | ||
| DNS security (SPF, DKIM, DMARC) | ||
| Cookie security attributes | ||
| Deep CSP policy breakdown | ||
| CORS header analysis |
Features
| Feature | SiteSecurityScore | SecurityHeaders |
|---|---|---|
| Letter grade scoring (A+ to F) | ||
| Actionable fix recommendations | ||
| PDF report generation | ||
| Free continuous daily monitoring with email alerts | ||
| REST API for automation | Ending 2026 | |
| MCP connector (Claude Code, ChatGPT Codex) | ||
| Browser extension (authenticated pages) | ||
| Free header generator tools | ||
| Learning center with guides | ||
| Dark mode |
What SiteSecurityScore checks beyond headers
TLS/SSL configuration
Protocol version, cipher suites, certificate validity, and HSTS preload status. Know whether your encryption setup meets current best practices.
DNS security records
SPF, DKIM, and DMARC record analysis. Find gaps in your email authentication before attackers exploit them for phishing.
Cookie security audit
HttpOnly, Secure, SameSite, Path, Domain, and prefix checks for every cookie. Spot session hijacking and CSRF risks instantly.
Deep CSP analysis
Directive-by-directive breakdown of your Content Security Policy. Identifies unsafe-inline, overly broad wildcards, and missing directives.
CORS header review
Checks Access-Control-Allow-Origin, credentials settings, and exposed headers to flag overly permissive cross-origin configurations.
PDF security reports
Download a professional, shareable report with your full scan results, letter grade, and prioritized recommendations.
API access that is here to stay
Snyk announced that the SecurityHeaders.com API will be discontinued in April 2026. The free web scanner is expected to stay available, but teams that rely on the API for automated scanning, CI/CD pipelines, or compliance workflows will need to switch to a different provider.
With the SecurityHeaders.com API winding down, teams that depend on automated header checks need a reliable replacement. The SiteSecurityScore REST API is built for exactly that. It returns structured JSON for every scan, covering security headers, deep CSP analysis, TLS, DNS, cookies, CORS, and security.txt in a single request, and it powers free continuous daily monitoring with email alerts so your posture stays graded long after the first scan.
curl -X POST https://www.sitesecurityscore.com/api/scan \
-H "x-api-key: sss_your_api_key_here" \
-H "Content-Type: application/json" \
-d '{"url": "example.com"}'Use it in CI/CD pipelines, scheduled monitoring, compliance dashboards, or any workflow that previously relied on the SecurityHeaders API. API keys are managed through your account dashboard with up to five active keys.
View API documentationFree security header generators
Knowing which headers are missing is only half the job. You also need correct values. SiteSecurityScore includes free generator tools that produce copy-paste configurations for your web server.
Scan pages behind login walls
Chrome Extension
Server-side scanners (including SecurityHeaders.com) can only reach publicly accessible URLs. The SiteSecurityScore browser extension captures real response headers from your authenticated sessions. Scan admin panels, internal dashboards, and staging environments with one click.
Try a free scan right now
Enter any URL and get a full security analysis covering headers, CSP, TLS, DNS, and cookies. No account required.
Start scanningFrequently asked questions
Is SiteSecurityScore a free alternative to SecurityHeaders.com?
Yes, and it goes far beyond headers. SiteSecurityScore is free, instant, and needs no account. One scan grades your security headers, deep CSP analysis, TLS, DNS, cookies, CORS, and security.txt, then hands you copy and paste fixes in seconds. Free continuous daily monitoring with email alerts, a REST API, a Chrome extension, and an MCP connector for Claude Code and ChatGPT Codex are all included.
What does SiteSecurityScore check that SecurityHeaders.com does not?
SiteSecurityScore goes beyond HTTP response headers. It also analyzes TLS/SSL configuration, DNS security records (SPF, DKIM, DMARC), cookie security attributes (HttpOnly, Secure, SameSite), deep CSP policy analysis, and generates downloadable PDF reports.
Does SiteSecurityScore have an API?
Yes. SiteSecurityScore provides a REST API that returns structured JSON results for automated security scanning, CI/CD pipeline integration, and compliance workflows. API keys are available through your account dashboard.
Can SiteSecurityScore scan pages behind a login?
Yes. The SiteSecurityScore Chrome extension captures real response headers from your authenticated browser sessions, letting you scan dashboards, admin panels, and internal tools that server-side scanners cannot reach.
Is the SecurityHeaders.com API being discontinued?
Snyk announced that the SecurityHeaders.com API will be discontinued in April 2026. The free web interface is expected to remain available, but teams relying on the API for automated scanning will need to migrate to an alternative like SiteSecurityScore.