SecurityHeaders.com API discontinued April 2026. Mozilla Observatory archived. SecScanner is the free replacement — checks all the same headers and more.
SecurityHeaders Alternative — Free HTTP Security Headers Checker
The SecurityHeaders.com API shut down. Mozilla Observatory is archived. SecScanner checks all the same HTTP security headers — plus TLS, DNS, and content vulnerabilities. Free, instant, no signup required.
Results in seconds · Free · No credit card
Free scan · No signup required · No API key needed
What Happened to SecurityHeaders.com and Mozilla Observatory?
SecurityHeaders.com — API discontinued
In April 2026, Snyk (which acquired SecurityHeaders.com) shut down the paid API tier. Automation workflows, CI/CD integrations, and monitoring scripts that relied on the API stopped working. The web UI at securityheaders.com continues to function but no longer supports programmatic access.
Mozilla Observatory — archived
Mozilla archived the HTTP Observatory repository in 2025. The hosted service continues to run but receives no updates, bug fixes, or new security checks. The project is in maintenance-only mode and will eventually go offline. New web security standards (COOP, COEP, CORP) are not covered.
SecScanner is actively maintained — new checks are added regularly, the codebase is open for security audits, and the API is available on the Pro plan as a drop-in replacement for the discontinued SecurityHeaders API.
SecScanner vs SecurityHeaders.com vs Mozilla Observatory
SecScanner covers everything both tools offered — and adds TLS, DNS, email security, and content checks that neither had.
| Feature | SecScanner | SecurityHeaders | Mozilla Obs. |
|---|---|---|---|
| HTTP security headers (CSP, HSTS, X-Frame-Options…) | |||
| Cookie security flags (HttpOnly, Secure, SameSite) | |||
| Referrer-Policy & Permissions-Policy | |||
| Cross-Origin policies (COOP, COEP, CORP) | |||
| TLS/SSL certificate validation | |||
| Cipher suite & TLS version audit | |||
| HSTS preload readiness check | |||
| DNS security (SPF, DKIM, DMARC, DNSSEC) | |||
| Vulnerable JS library detection | |||
| Sensitive file exposure check | |||
| Continuous monitoring with alerts | |||
| Email & Slack notifications | |||
| API access | |||
| Actively maintained | |||
| Free to use |
HTTP Security Headers We Check
23 header checks total — a superset of SecurityHeaders.com and Mozilla Observatory combined. 12 run in every free scan; the rest (CORS, COOP/COEP/CORP) are part of Pro.
Content Security Policy (CSP)
Prevents XSS and data injection by controlling which resources can be loaded.
HTTP Strict Transport Security (HSTS)
Forces browsers to use HTTPS for your domain and prevents protocol downgrade attacks.
Frame Security Policy
Blocks your pages from being embedded in iframes on other sites, preventing clickjacking.
X-Content-Type-Options
Stops browsers from sniffing MIME types and executing files as a different type.
Referrer Policy
Controls how much referrer information is sent with requests from your site.
Permissions-Policy
Restricts access to browser features like camera, microphone, and geolocation.
Cross-Origin Opener Policy (COOP)
Isolates your browsing context from cross-origin documents.
Cross-Origin Embedder Policy (COEP)
Prevents a document from loading cross-origin resources without explicit permission.
Cross-Origin Resource Policy (CORP)
Blocks other sites from loading your resources in their pages.
Set-Cookie Headers
Verifies session cookies are protected with HttpOnly, Secure, and SameSite flags.
Access-Control-Allow-Origin (CORS)
Checks for overly permissive cross-origin request policies.
HSTS Preload Readiness
Evaluates whether your HSTS config meets browser preload list requirements.
Plus 39 more checks across TLS, DNS, email security, and content vulnerabilities
Browse all 62 security checksBeyond Security Headers
SecurityHeaders.com only checked HTTP response headers. SecScanner checks your entire security posture in one scan.
How to Migrate from SecurityHeaders.com
Run a free scan
Enter your domain at the top of this page. No account or API key needed. Results appear in under 60 seconds, including every header check SecurityHeaders.com graded.
Compare your header score
The scan report shows each header check as pass/fail with a risk level and specific fix instructions. Same information as SecurityHeaders.com, plus TLS and DNS results you didn't have before.
Replace API calls (Pro)
If you used the SecurityHeaders.com API in CI/CD or monitoring scripts, upgrade to Pro and use the SecScanner REST API at /api/v1/scans. POST a URL, get back JSON with check results — a direct replacement.
Set up continuous monitoring (optional)
Instead of running checks manually, add your site to SecScanner monitoring for daily or weekly automated scans with email or Slack alerts when anything changes.
Frequently Asked Questions
Is SecurityHeaders.com shutting down?
What happened to Mozilla Observatory?
How do I migrate from SecurityHeaders.com?
Does SecScanner check all the same headers as SecurityHeaders.com?
Is SecScanner free?
Does SecScanner have an API?
How does SecScanner compare to Mozilla Observatory?
Can I monitor headers automatically instead of checking manually?
More Free Security Checkers
Headers are just one layer. Explore the full toolkit.
Ready to Replace SecurityHeaders.com?
Free scan — 24 checks instant, 62 total on Pro, no account required. Or sign up to get continuous monitoring with daily alerts when your headers change.