It has been one of the most commonly requested features for a long time, and finally I'm happy to announce that it's here, the Security Headers API!!!


Security Headers API

I know, I know, it took me too long! If you want to dive right in, head over to the site now to grab yourself an API key and you can get scanning within minutes. The website will continue to be free for absolutely anyone to use, and I'd love to do the same for the API, but I've had to introduce a very small cost to cover the basics. Don't worry though, if you want to monitor a handful of your sites on a daily basis, you will comfortably get by on only $2.99/mo for your API key!

Use the code 15FORLIFE at checkout within 7 days of the API launching to get 15% off for the lifetime of your subscription as a thanks from me!

Update 2nd Feb 2023: I've extended this code until 9th Feb 2023 for those who need time to get corporate cards/approval!

Our API Documentation page gives details on how to get started with a scan, but it's really simple.

GET https://api.securityheaders.com/?q=scotthelme.co.uk&hide=on&followRedirects=on
x-api-key: {your key here}

A GET request with your API Key specified in the x-api-key request header is all that's needed and all 3 query string parameters are required too. We have q, the domain/URL to scan, hide controls whether to show your scan on the site homepage and followRedirects indicates whether you want us to follow redirect status codes in the 3xx range. Easy!

The site remains free to use!

This was a really important one for me so I wanted to make it absolutely clear, the website will remain completely free to use for anyone that wants to use it! The only way that it's possible to operate, maintain and update the site regularly, whilst remaining free to use, is with the support of our sponsor, Probely, who you can see on the website.

They're hugely aligned with what we do at Security Headers, offering Web Application and API vulnerability scanning themselves, and they didn't want any pesky tracking cookies/ads/js or other unsavoury things, and they were satisfied with the prominent yet subtle addition of their logo in the top corner. All in all, I'm really happy that the relationship is continuing and if you appreciate Security Headers remaining free, maybe check out their site to show your support.

Context is important

There are a great many support requests that we get at Security Headers HQ that revolve around the same common theme: "My site got grade X but I don't think that's right because [reason]!"

In an effort to streamline and try to make the answers to many common questions more clear, we've first of all added some new warnings and behaviour to the results page to help out.

content-type

If the content-type of the response indicates anything other than HTML, we now add a warning to advise that not all headers may be appropriate. For example, on a response that provides content-type: application/json, it's understandable that some headers would not be set and the following warning would appear:

status

The status code of a response can vary widely and often, a server will set different response headers based on the status code. For example, if you scan a URL and make a typo in the path, resulting in a 404, your server may not set all/any of your specified response headers, resulting in a poor grade. In scenarios where the server returns a status code that indicates an error, you will now see the following warning:

Another really common issue is for our scan to be blocked for some reason, resulting in a 403 status code, and again, most likely, all of your Security Headers not being set. We now output an additional warning when it seems like our scan was blocked so you can investigate:

If our scan is blocked, you can check our FAQ page for details on our IPv4/IPv6 addresses to allow them, or on how to identify us by our User Agent string used for scanning.

Scoring Criteria

I've been open in the past about the scoring criteria for the grades you can achieve in a Security Headers scan and I want to continue that. Some recent changes have taken place that impact your score, and they're all detailed here in their own blog posts, but there isn't a single location to get a clear view of the whole criteria, so here it is!

At present, the maximum haul of points available for a scan is 160 and you can score points with the following security features being properly deployed:

Security Feature Points
https 30
strict-transport-security 25
content-security-policy 25
x-frame-options 20
x-content-type-options 20
referrer-policy 20
permissions-policy 20

Depending on your score, you're then awarded your grade based on the % of the total points available that you achieve. The score for each individual security feature may increase or decrease over time, and, items have been added to, or completely removed from, the list too. Here's the grading criteria for your score:

% of points Grade
100 - 95 A+
75 - 95 A
60 - 74 B
50 - 59 C
29 - 49 D
14 - 28 E
0 - 13 F

Other updates

All of the other work that's taken place won't be visible to users from the outside. We're now running a new OS version and a new PHP version on the servers, along with various code optimisations and changes to better support the scan results being returned via the API. You might notice a slightly faster response for scan results and whilst a nice side-effect, the main goal was to ensure stability and longevity for the operation of the service.