voiddo secscan vs securityheaders.com
Both analyse HTTP security headers. This page compares severity grading, CSP parsing, public scan history, redirect detection, and when each tool fits your security workflow.
voiddo secscan — use when
- You want severity-classified findings (critical/high/medium/low) with remediation guidance
- You want to scan a staging or pre-launch URL without creating a public scan record
- You need CSP directive parsing to spot unsafe-inline / unsafe-eval issues
- You want redirect chain detection alongside header analysis
- You want results inside the voiddo developer tool suite with no account
- You want no ads, no signup, no rate limits
securityheaders.com — use when
- You need a public A+ to F letter grade for a compliance report or client deliverable
- You want to share a shareable badge / URL showing a site's grade
- You want access to the public scan history of a domain
- You need the industry-standard reference tool most security teams recognise
Feature comparison
| Feature | voiddo secscan | securityheaders.com |
|---|---|---|
| HTTP security header scan | ✓ yes | ✓ yes |
| Severity grading (critical/high/med/low) | ✓ yes | – letter grade only |
| Letter grade (A+ to F) | – no | ✓ yes |
| CSP directive parsing | ✓ unsafe-inline/eval flagged | partial |
| Public scan history / shareable URL | – no public log | ✓ yes |
| Redirect chain detection | ✓ yes | – no |
| Remediation guidance per header | ✓ yes | brief |
| HSTS, COOP, COEP, CORP checks | ✓ yes | ✓ yes |
| Deprecated header flagging | ✓ yes | ✓ yes |
| Scan privacy (no public record) | ✓ no public log | opt-out required |
| Account required | ✓ no | ✓ no |
| Free | ✓ 100% | ✓ yes |
FAQ
Is voiddo secscan an alternative to securityheaders.com?
Yes. voiddo secscan (tools.voiddo.com/secscan/) is a free HTTP security header scanner. Enter any URL and it fetches the HTTP response headers, then grades each security header (Content-Security-Policy, Strict-Transport-Security, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more) against best-practice recommendations. It shows critical/high/medium/low severity ratings, explains what each header does, and flags missing or misconfigured headers.
How does voiddo secscan differ from securityheaders.com?
securityheaders.com is the most widely known HTTP header grader, run by Scott Helme, and produces an A+ to F letter grade alongside a public history of scanned sites. voiddo secscan shows severity-classified findings (critical/high/medium/low) with remediation context, CSP directive parsing, and redirect chain detection — without creating a public scan record. If you need a public shareable grade badge, securityheaders.com is the standard. If you want developer-focused severity context without a public record of your scan, voiddo secscan fits better.
Does voiddo secscan log or store the URLs I scan?
voiddo secscan makes a server-side HTTP request to fetch the target URL's headers (required because browsers block cross-origin header reads). The URL is used only to perform the scan fetch and is not stored in a public database or scan history log. securityheaders.com maintains a public history of scanned sites unless you opt out. If scanning an internal staging URL or pre-launch domain, voiddo secscan does not create a public record.
What security headers are checked?
voiddo secscan checks: Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy (formerly Feature-Policy), Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), Cross-Origin-Resource-Policy (CORP), and deprecated or dangerous headers. Each header is rated by severity impact when missing or misconfigured.
What is a Content Security Policy and why is it critical?
Content-Security-Policy (CSP) is an HTTP response header that instructs the browser which sources are allowed to load scripts, styles, images, fonts, and other resources. A missing or overly permissive CSP is rated critical because it is the primary browser-level defence against cross-site scripting (XSS) attacks. A well-configured CSP prevents injected scripts from executing even if an XSS vulnerability exists in the application code. voiddo secscan parses CSP directives and flags dangerous values like unsafe-inline and unsafe-eval.
Is voiddo secscan free?
Yes — completely free with no account required, no rate limits on reasonable use, and no ads. It is part of the 49+ free developer tools at tools.voiddo.com.