Everything you need to scan, grade and harden your sites' security headers — quick start, feature map, FAQs and troubleshooting.
Paste any URL into the scanner on the homepage. You get an A+ to F grade, a per-header breakdown (CSP, HSTS, clickjacking, MIME sniffing, referrer and permissions policies, COOP/CORP), TLS certificate expiry, cookie flags and the DNS & Email Security posture — no account needed.
Sign up on /signup for a free key (10 scans per month, no credit card), or redeem a lifetime-deal coupon on /redeem — it activates Enterprise-level lifetime access and returns your key instantly. Keep the key secret; the dashboard never stores it server-side.
Send your key in the X-API-Key header (or as "Authorization: Bearer <key>"): curl "https://headershield.dev/api/v1/scan?url=https://example.com" -H "X-API-Key: hsh_...". The full REST surface is described by the OpenAPI 3.1 document at /api/openapi.json.
Every finding carries its status (pass/warn/fail), points, a plain-English explanation and a copy-paste fixSnippet for Nginx, Apache, Cloudflare, Next.js and vercel.json. The dnsPosture section reports SPF, DMARC, DKIM, CAA and DNSSEC — each one found, missing or unknown (unknown = the DNS lookup did not complete, never a guess).
Paid plans can register monitors (POST /api/v1/monitors) so sites are re-scanned on a schedule, with email alerts and signed webhooks on downgrades (Premium+). Pull a branded HTML report from /api/v1/report, embed the public grade badge in your README, or wire the GitHub Action from /docs to fail builds below your grade threshold.
| Feature | Plan | API |
|---|---|---|
| Security-header scan + A+–F grade | All plans (Free: 10 scans/mo) | GET /api/v1/scan |
| TLS certificate expiry + cookie flags | All plans (in every scan) | GET /api/v1/scan |
| DNS & Email Security posture (SPF/DMARC/DKIM/CAA/DNSSEC) | All plans (in every scan) | GET /api/v1/scan → dnsPosture |
| Copy-paste fix snippets (Nginx/Apache/Cloudflare/Next.js/vercel.json) | All plans | GET /api/v1/scan → findings[].fixSnippet |
| Scheduled monitoring + alerts | Basic: 3 sites · Premium: 20 · Business/Lifetime: 100 | POST /api/v1/monitors |
| Signed webhooks (scan.completed, monitor.changed) | Premium and above | PUT /api/v1/webhooks |
| Bulk scan (batch of domains) | Premium: 20/batch · Business/Lifetime: 50/batch | POST /api/v1/bulk/scan |
| Branded HTML security report | Any API key (counts as one scan) | GET /api/v1/report |
| Public share page + grade badge | Free, no key needed | POST /api/share · GET /api/badge/{token} |
| README grade badge (live scan) | Free, no key needed | GET /api/badge?url=example.com |
Still stuck? Check the API documentation or the OpenAPI spec.