SecurityHeaders.com is the header specialist
Scott Helme, a respected security researcher, built securityheaders.com in 2015 after writing extensively about HTTP security headers. It became the de facto standard for header grading. The site checks all the standard security headers:
- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy (formerly Feature-Policy)
- Cross-Origin-Opener-Policy (COOP)
- Cross-Origin-Embedder-Policy (COEP)
- Cross-Origin-Resource-Policy (CORP)
It grades from A+ to F. The A+ grade has become a widely-shared badge. You'll see it in countless README files, company security pages, and conference talks.
What it does really well
- Clean, focused UI: No clutter, just header analysis
- Historical tracking: Scan history shows improvements over time
- Public URLs: Every scan result is a shareable link
- API access: Programmatic scanning with rate limits
- Recognized scoring: A+ grade is a recognized security badge
What ismycodesafe.com includes beyond headers
We check every header SecurityHeaders.com checks. We use the same grading logic (header presence + configuration correctness). Then we add:
- SSL/TLS deep analysis: SSLyze-powered cipher and protocol testing
- OWASP Top 10 mapping: Findings categorized by OWASP 2021
- CVE detection: NVD + OSV + retire.js for tech stack and JS libraries
- 53 sensitive file paths: .env, .git, backups, CI configs
- Threat intelligence: VirusTotal, PhishTank, AlienVault OTX, URLhaus, Spamhaus
- Shodan InternetDB: Port scan and CVE lookup for server IP
- Certificate Transparency: Subdomain discovery via crt.sh
- urlscan.io: Technology detection, DOM analysis, geolocation
- DNS security: SPF, DMARC, DKIM, CAA, MTA-STS, TLS-RPT
The one scan philosophy
The reason to use ismycodesafe.com over SecurityHeaders.com isn't that we grade headers better. We grade them the same way. The reason is that security isn't just headers.
A site can get A+ on SecurityHeaders.com and still be hackable because:
- Its .env file is publicly accessible
- Its jQuery version has known XSS vulnerabilities
- Its SSL uses deprecated TLS 1.0
- Its admin panel is at /admin with default credentials
- Its database port is exposed to the internet
SecurityHeaders.com won't catch any of these. It's not designed to.
Using both
SecurityHeaders.com is excellent for one specific use case: getting your header grade as high as possible and having a shareable link to prove it. ismycodesafe.com is better for weekly security audits covering the full picture.
Both are free. Use SecurityHeaders.com when you're actively tuning headers. Use ismycodesafe.com for comprehensive security monitoring.
Pricing
SecurityHeaders.com: Free with API rate limits. Scott Helme offers a paid tier for higher API rates and bulk scanning.
ismycodesafe.com: Free basic scan (all 160+ checks). $49 for premium AI-generated report. $150 for 30-min code security consultation.
Credit where it's due
Scott Helme has done more to popularize HTTP security headers than anyone. His blog and SecurityHeaders.com have probably prevented thousands of XSS and clickjacking attacks. If you're not following his blog, you should be.
We built ismycodesafe.com because we wanted comprehensive scanning, not because SecurityHeaders.com needed replacement. The two tools coexist and complement each other.
The honest summary
SecurityHeaders.com: The best HTTP header grader with a recognized A+ badge. Use it when you're tuning headers specifically.
ismycodesafe.com: Header grading plus 150+ other security checks in one scan. Use it for ongoing security audits.