SecurityHeaders.com API Is Shutting Down: Free Alternative for Header Scanning (2026)

What Happened: The Snyk Acquisition Chain

SecurityHeaders.com was created by Scott Helme as a free tool to check HTTP security headers on any website. It became the go-to resource for developers and security teams who needed a quick grade on their header configuration. Over the years, a paid API emerged alongside the free scanner, enabling automated scanning in CI/CD pipelines, compliance workflows, and security monitoring dashboards.

Then the acquisitions started. Probely, a Portuguese application security company, acquired securityheaders.com. Then Snyk acquired Probely. And in April 2026, Snyk announced that the securityheaders.com API is being shut down.

The free website scanner at securityheaders.com will continue to work for manual, one-off checks. But the programmatic API — the part that developers actually integrated into their toolchains — is going away.

What This Means for Developers

If you were using the securityheaders.com API, several things break at once:

• CI/CD pipelines — If your deployment pipeline called the securityheaders.com API to verify headers before or after deploy, those checks will stop working. Deploys that relied on a passing grade to proceed will either fail or need the check removed entirely.
• Compliance automation — PCI DSS 4.0 Requirement 6.4.3 requires Content-Security-Policy on payment pages. If you used the securityheaders.com API to generate audit evidence that your headers were correctly configured, you need a new source of that evidence.
• Scheduled monitoring — Teams that ran nightly or weekly scans to detect header regressions lose that visibility. A misconfigured CDN or a server config change could silently remove HSTS or CSP without anyone noticing until the next penetration test.
• Vendor assessments — If you scanned third-party vendors programmatically to check their security posture, those workflows need a replacement API.
• Internal dashboards — Security teams that built dashboards pulling header grades from the securityheaders.com API will see those panels go blank.

The common thread: anything that depended on programmatic access to security header scanning is affected. Manual checks via the website still work, but manual checks do not scale.

DetectZeStack: A Drop-In Alternative

The DetectZeStack API includes a GET /security endpoint that grades security headers from A+ to F — the same kind of output the securityheaders.com API provided, but with structured JSON and per-header scoring.

Here is what the endpoint checks:

• Strict-Transport-Security (HSTS) — verifies presence, validates max-age duration, checks for includeSubDomains
• Content-Security-Policy (CSP) — confirms header is present with a defined policy, checks for default-src
• X-Frame-Options — validates DENY or SAMEORIGIN value for clickjacking protection
• X-Content-Type-Options — checks for nosniff to prevent MIME-type sniffing
• Referrer-Policy — confirms a valid referrer policy is set
• Permissions-Policy — checks that browser feature access is restricted
• X-XSS-Protection — validates legacy XSS filter configuration
• Cross-Origin-Opener-Policy — checks for cross-origin window isolation

Each header contributes a weighted score to the total. HSTS and CSP are worth 20 points each (the most critical). The remaining headers contribute 10–15 points. The maximum score is 130, and grades map as follows: A+ (110+), A (100–109), B (80–99), C (60–79), D (40–59), F (below 40).

Quick Start: Replace SecurityHeaders.com API in 60 Seconds

Get a free API key from RapidAPI (no credit card required), then run:

curl -s "https://detectzestack.p.rapidapi.com/security?url=example.com" \
  -H "x-rapidapi-key: YOUR_API_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" | python3 -m json.tool

The response includes the grade, the numeric score, and a per-header breakdown:

{
  "url": "https://example.com",
  "domain": "example.com",
  "grade": "F",
  "score": 15,
  "max_score": 130,
  "scan_time_ms": 287,
  "cached": false,
  "tests": {
    "strict-transport-security": {
      "pass": false,
      "score_modifier": 0,
      "result": "HSTS header missing",
      "value": "",
      "info": "No Strict-Transport-Security header found"
    },
    "content-security-policy": {
      "pass": false,
      "score_modifier": 0,
      "result": "CSP header missing",
      "value": "",
      "info": "No Content-Security-Policy header found"
    },
    "x-content-type-options": {
      "pass": true,
      "score_modifier": 15,
      "result": "nosniff enabled",
      "value": "nosniff",
      "info": "MIME-type sniffing blocked"
    }
  }
}

To integrate into a CI/CD pipeline, check the grade field and fail the build if it drops below your threshold:

#!/bin/bash
# ci-security-headers-check.sh
GRADE=$(curl -s "https://detectzestack.p.rapidapi.com/security?url=$DEPLOY_URL" \
  -H "x-rapidapi-key: $RAPIDAPI_KEY" \
  -H "x-rapidapi-host: detectzestack.p.rapidapi.com" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['grade'])")

echo "Security headers grade: $GRADE"

if [[ "$GRADE" == "D" || "$GRADE" == "F" ]]; then
  echo "FAIL: Security headers grade is $GRADE. Minimum required: C"
  exit 1
fi

echo "PASS: Security headers check passed"

SecurityHeaders.com vs DetectZeStack: Comparison

Beyond Headers: What Else DetectZeStack Offers

The /security endpoint is one part of a broader API. If you are already making the switch from securityheaders.com, you might find these endpoints useful for building a more comprehensive security monitoring workflow:

• Technology detection (GET /detect) — identifies 7,200+ technologies including frameworks, CMS platforms, CDNs, and analytics tools. Useful for tracking what software your vendors run.
• Change tracking (GET /changes) — monitors when websites add, remove, or upgrade technologies. Catch it when a vendor swaps their CDN or removes their WAF.
• DNS intelligence (GET /dns) — reveals infrastructure details hidden behind proxies and CDNs.
• SSL/TLS certificate analysis (GET /certificate) — checks certificate validity, expiration, issuer, and configuration.

All endpoints share the same API key and the same free tier of 100 requests per month.

Migration Checklist

If you are moving from the securityheaders.com API to DetectZeStack, here is a step-by-step checklist:

1. Get your API key — Sign up on RapidAPI (free, no credit card)
2. Update the endpoint URL — Replace the securityheaders.com API URL with https://detectzestack.p.rapidapi.com/security?url=DOMAIN
3. Update authentication headers — Add x-rapidapi-key and x-rapidapi-host headers
4. Update response parsing — The DetectZeStack response is structured JSON with grade, score, and tests fields. Map these to your existing logic.
5. Test in staging — Run your updated pipeline against a known domain and verify the grade matches expectations
6. Monitor request usage — The free tier is 100 requests/month. If you need more, upgrade to Pro ($9/mo for 1,000 requests) or higher.

For a detailed walkthrough of scanning headers with Python code examples, see How to Audit Security Headers with Python.

You can also try an interactive scan on the Security Headers page — no API key needed, no signup required.