For many in the web security community, securityheaders.com has been a familiar and trusted tool for years.

Originally created by Scott Helme, it helped raise the baseline for HTTP security headers across the web, not through flashy reports, but by making the right things visible and measurable.

Over time, the project evolved:

• Originally launched in February 2015.
• The API was rolled out in January 2023.
• securityheaders.com was acquired by Probely in June 2023.
• Probely was later acquired by Snyk in June 2025.

In April 2025, Probely announced that the Security Headers API will discontinued in April 2026. As far as we know, the free website service will remain available for the foreseeable future.

If you were using it for anything below, you now need an alternative:

• CI/CD checks
• Automated estate scanning
• Compliance evidence
• Repeated audits without manual effort

That’s why I am really excited to announce that alongside our existing services, we’ve released an endpoint to serve as a replacement for the Security Headers API.

Continuing the good work

SecurityHeaders.com did something really important: it made HTTP security headers understandable, testable, and actionable.

Whilst Snyk hasn’t said anything about the future of securityheaders.com as a whole, so we assume that they will continue to maintain and update the website. If they do decide not to maintain the website, Cybaa stands ready with our own version which is available and free to use right now!

What the Cybaa Security Headers API tests and score

Cybaa’s API scans a hostname or URL and returns structured JSON results, including scoring and raw observations across:

• Content Security Policy (CSP)
• Cookies (Secure, HttpOnly, SameSite)
• CORS
• Redirection behaviour
• Referrer-Policy
• HTTP Strict Transport Security (HSTS)
• Subresource Integrity (SRI)
• X-Content-Type-Options
• X-Frame-Options
• Cross-Origin Resource Policy (CORP)

Getting started

It couldn’t be simpler to use, all you need to do is:-

curl 'https://api.cybaa.io/headers?target=' \
  --header 'Api-Key: YOUR_SECRET_TOKEN'

or, if you use a language like C#:-

using var client = new HttpClient();
var request = new HttpRequestMessage(HttpMethod.Get, "https://api.cybaa.io/headers?target=");
request.Headers.TryAddWithoutValidation("Api-Key", "YOUR_SECRET_TOKEN");
using var response = await client.SendAsync(request);

You’ll get a response back that looks a little like this:-

{
	"scan": {
		"algorithmVersion": 4,
		"grade": "A+",
		"error": null,
		"score": 110,
		"statusCode": 200,
		"testsFailed": 2,
		"testsPassed": 8,
		"testsQuantity": 10,
		"responseHeaders": {
			"date": "Thu, 22 Jan 2026 17:40:36 GMT",
			"content-type": "text/html; charset=utf-8",
			"transfer-encoding": "chunked",
			"connection": "close",
			"cf-cache-status": "DYNAMIC",
			"age": "206342",
			"cache-control": "public, max-age=0",
			"server": "cloudflare",
			"strict-transport-security": "max-age=31536000; includeSubDomains; preload",
......
		}
	},
	"tests": {
		"content-security-policy": {
			"numPolicies": 1,
			"policy": {
				"antiClickjacking": true,
				"defaultNone": false,
				"insecureBaseUri": false,
				"insecureFormAction": false,
				"insecureSchemeActive": false,
				"insecureSchemePassive": false,
				"strictDynamic": false,
				"unsafeEval": false,
				"unsafeInline": false,
				"unsafeInlineStyle": true,
				"unsafeObjects": false
			},				
...........

You can find out more about our API here:

👉 https://cybaa.io/products/api

I want to say a massive thank you to Scott for setting up securityheaders.com in the first place and relentlessly pushing the security standards of the web.