← knowledge.oriz.in

securityheaders.com

service securityauditheadersciprimary

securityheaders.com

Role

External audit of HTTP response security headers — runs Scott Helme's grading rubric (CSP, HSTS, X-Frame-Options, etc.) and returns A+ → F. Used as a CI gate on every PR: if the grade drops below A, the PR fails.

Free tier

Card / subscription required?

NO. Email sign-up for an API key. No payment method requested.

How CI consumes it

The per-site ci.yml runs after the Cloudflare Pages preview deploy lands. A small step posts the preview URL to securityheaders.com's API and parses the JSON response:

- name: Audit security headers (securityheaders.com)
  run: |
    grade=$(curl -s "https://securityheaders.com/?q=$PREVIEW_URL&hide=on&followRedirects=on" \
      -H "x-api-key: $SECURITYHEADERS_API_KEY" \
      -H "Accept: application/json" | jq -r '.grade')
    echo "Grade: $grade"
    case "$grade" in A+|A) echo "ok";; *) exit 1;; esac

SECURITYHEADERS_API_KEY lives in Doppler and syncs to GitHub Actions as a secret.

What it grades

Alternatives

Swap cost

Low — Mozilla Observatory's CLI grades the same headers slightly differently. Already running both, so dropping one keeps coverage.

Why this is our pick

Free, well-known industry rubric, simple JSON API, runs in CI in under 5 seconds. Pairs with Mozilla Observatory for double coverage.

Cross-refs