Looking for a SecurityHeaders.com alternative now the API is closing?
SecurityHeaders.com is one of the good ones. Scott Helme built it in 2015, it grades your HTTP response headers A+ to F, and for a decade it's been the fastest way to sanity-check whether you set Strict-Transport-Security and Content-Security-Policy correctly. If you just want a manual header grade, it still does that, and it's still free. Keep using it.
The reason you're probably here: the API is being retired. After Scott Helme's tool was acquired by Probely and then Snyk, Probely announced in April 2025 that the programmatic Security Headers API will be discontinued in April 2026. The free web scanner is expected to stay up; the API teams wired into CI and monitoring is the part going away. (Snyk's notice, as reported January 2026.) If you were hitting that API on a schedule to track header drift across your sites, that automation path is closing, and you need somewhere else to point it.
So the real question isn't "what's another header grader." It's "what gives me header grading plus the parts of my surface SecurityHeaders.com was never built to check, ideally with the monitoring the API used to give me."
What SecurityHeaders.com checks, and what it doesn't
It's a single-URL header grader, and an honest one. It reads your response headers and grades the security-relevant ones: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, plus your Set-Cookie flags and any information-leaking headers like Server or X-Powered-By. HSTS and CSP carry the most weight. For that job it's excellent and it's the reference standard.
What it does not do, because it was never meant to: it doesn't analyze your TLS certificate or cipher suites (that's Qualys SSL Labs), it doesn't check DNS or email authentication like SPF and DMARC, it doesn't look for secrets in your JavaScript or a reachable /.env, it doesn't scan for exposed admin panels or vulnerable libraries, and in the free web tool it doesn't monitor on a schedule or alert you. It grades one page's headers, once, when you ask.
A focused tool that does one thing well is worth having, and SecurityHeaders.com is exactly that. It just means your headers are one band of a much wider surface, and a header grade tells you nothing about the other bands.
The gap a single-purpose grader leaves
Here's the part worth seeing rather than reading. Mozilla's HTTP Observatory covers headers and adds cookies, CORS, and SRI. SSL Labs covers TLS and nothing else. SecurityHeaders.com covers headers. Each is deep in its lane and blind to the others, and none of them watches the things that actually leak credentials.
| SSL Labs | SecurityHeaders | Observatory | One report | |
|---|---|---|---|---|
| TLS / certificate | ||||
| Security headers | ||||
| Cookies, CORS, SRI | ||||
| Secrets in JS bundle | ||||
| Exposed .env, .git | ||||
| SPF, DMARC, CAA | ||||
| Subdomain takeover |
To cover your real external surface with these tools you'd run three of them, in three tabs, on no schedule, and still miss secrets, exposed files, and DNS. That was tolerable when you could at least script the header part against an API. With that API closing, the manual-tab approach is all the standalone graders leave you.
What to use instead
If headers are genuinely all you care about, keep using SecurityHeaders.com or Observatory by hand. They're free and they're good. No notes.
If you want the header grade and the rest of what an attacker reads off your site, in one graded report you can re-run on a schedule, that's the gap SurfaceCheckr fills. We grade the same headers (HSTS, CSP, X-Frame-Options, cookie flags, the information-leaking ones) and roll them together with TLS, CORS, SRI, secrets in your JavaScript, exposed files, and SPF/DMARC/CAA into one A-to-F result, then re-scan it so header drift and a newly leaked key both show up the same day. We're not claiming to out-grade Scott Helme's tool at headers; it's the standard and we measure against it. We're saying headers are one row of seven, and now that the easy way to automate that one row is going away, a single report that watches all seven is the move. You can run it on your domain right now and see every row at once.
Find it before someone else does.
Paste your domain. The grade and issue count are free, and you'll see in a couple of minutes exactly what's reachable from outside.