Pricing

Pay per usage

Security Headers Scanner

Grade any website's HTTP security headers — letter grade (A+ to F), severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx, Apache, Express, and Cloudflare. Port of the 33-user Chrome extension to a programmatic API.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Coleton Patton

Actor stats

Bookmarked

Total users

Monthly active users

2 days ago

Last modified

Use cases

Pre-launch security audit — grade a staging site before going live
Compliance dashboards — feed grades into your SOC2 / ISO27001 evidence pipeline
Vendor security review — score third-party services your stack depends on
Hosting provider QA — check that your edge config actually shipped the headers you configured

Input

{
  "url": "https://example.com"
}

Or batch mode:

{
  "urls": [
    "https://example.com",
    "https://stripe.com",
    "https://github.com"
  ]
}

Max 1000 URLs per run.

Output (per URL)

{
  "url": "https://example.com",
  "finalUrl": "https://example.com",
  "httpStatus": 200,
  "grade": "B",
  "percentage": 74,
  "score": 67,
  "maxScore": 90,
  "criticalIssues": 1,
  "importantIssues": 1,
  "optionalIssues": 0,
  "headers": [
    {
      "name": "Content-Security-Policy",
      "status": "weak",
      "value": "script-src 'self' 'unsafe-inline'",
      "severity": "critical",
      "deprecated": false,
      "recommendation": "Set a restrictive policy..."
    }
    /* ... 9 more ... */
  ],
  "rawHeaders": { "...": "..." },
  "plainTextReport": "Security Headers Report\nURL: ...",
  "scannedAt": "2026-05-15T22:00:00.000Z",
  "scannerVersion": "1.3.0"
}

Headers checked

Ten security-relevant HTTP response headers:

Header	Severity	Weight
Content-Security-Policy	critical	15
Strict-Transport-Security	critical	15
X-Content-Type-Options	important	10
X-Frame-Options	critical	10
Referrer-Policy	important	8
Permissions-Policy	important	8
Cross-Origin-Opener-Policy	optional	7
Cross-Origin-Resource-Policy	optional	7
Cross-Origin-Embedder-Policy	optional	7
X-XSS-Protection (deprecated)	optional	3

Grading

A+ (95-100%) — top-tier, exceeds best practices
A (85-94%) — strong, minor gaps
B (70-84%) — adequate, weak in 2-3 areas
C (55-69%) — incomplete, multiple missing headers
D (40-54%) — significant gaps
F (< 40%) — no meaningful security headers

Evaluator strictness (v1.3.0)

This version uses the strict evaluators that match Mozilla Observatory and securityheaders.com baselines:

Content-Security-Policy with 'unsafe-inline' OR 'unsafe-eval' → weak
Referrer-Policy values outside the strict allowlist (e.g. origin, no-referrer-when-downgrade) → weak
Permissions-Policy with any wildcard * directive → weak

Earlier scanner versions were more lenient. If you're comparing against scans from before May 2026, expect some grades to drop — these are corrections, not regressions in your security posture.

Pricing

Free tier: 100 scans/month
Standard: $0.005 per URL scanned
Subscription: $19/month for 10,000 scans

Author

Built and maintained by Peak Post. Open source code at peakpost.ca.

Security Headers Checker API - HTTP Security Scanner

pink_comic/security-headers-checker

Security Headers Checker API for bulk HTTP security scans. Audit HSTS, CSP, X-Frame-Options, referrer and permissions policies, missing headers, website hardening gaps, and compliance posture. Returns grades, findings, and header evidence for security audits.

Ava Torres

CSS Variables Inspector

pattonholdings/css-variables-inspector

Extracts every CSS custom property (--var-name) declared or referenced on a webpage. Returns properties grouped by :root and other selectors, plus var() references with no matching declaration. For design-system audits, theme migrations, brand-token extraction.

Coleton Patton

Website Tech Stack Detector — 100+ Technologies

ryanclinton/website-tech-stack-detector

Identify the technologies, frameworks, and services running on any website. Website Tech Stack Detector crawls one or more URLs, inspects HTTP headers, HTML meta tags, script sources, and body content, then matches them against a fingerprint database of 106 web technologies across 17 categories.

Ryan Clinton

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

Isaac Muendo

Free Domain Technology Stack Scanner

s-r/free-domain-technology-stack-scanner

Detect the complete technology stack of any website. Identifies ecommerce platforms (Shopify, WooCommerce, Magento), CMS (WordPress, Contentful), JS frameworks (React, Next.js, Vue), analytics (GA4, GTM), payment providers (Stripe, PayPal, Klarna), hosting/CDN, SSL certificates.

GDPR & Privacy Cookie Scanner

andok/gdpr-cookie-scanner

Scan websites to identify tracking cookies and third-party scripts. Automate privacy compliance and GDPR audits.

Andok

SSL Cipher Suite & Security Scanner

andok/ssl-cipher-checker

Audit TLS versions and negotiated cipher suites for a list of domains to ensure compliance and robust web security.

Andok

🛡️ Security Headers Checker

taroyamada/security-headers-checker

Audit HTTP security headers in bulk across hundreds of websites. Extract OWASP compliance grades and detect missing HSTS or CSP directives instantly.

naoki anzai

Public Security Headers & Cookie Surface Audit Agent

jacksu/public-security-headers-audit-agent

Audit public HTTP response security headers, HTTPS redirect behavior, and cookie attribute exposure without scanning, attacking, or storing cookie values.

jack su

OSINT Website Intelligence Analyzer

onescales/website-intelligence-analyzer-osint

All-in-one website analysis tool. Run 30 OSINT checks on any URL — DNS, SSL, WHOIS, tech stack, security headers, email security, open ports, and more. Get a complete site profile in seconds.