HeaderTest Is Officially Out of Beta
What started as a simple Content Security Policy checker has grown into something much more useful. HeaderTest now analyzes your full set of security headers, gives you a transparent score breakdown, and tracks how your security posture changes over time.
Today we're dropping the beta label. Here's what changed and why it matters.
A Completely Reworked Scoring System
This was the biggest change. The old scoring system gave you a single number that was hard to interpret. Two sites could get the same score for completely different reasons, and it wasn't always clear what to fix first.
The new system breaks your score into three categories, each scored independently on a 0–100 scale with letter grades from A+ through F:
Security — The core stuff. Does your site have CSP? Are you using unsafe-inline or unsafe-eval? Do you have X-Frame-Options or frame-ancestors set? Missing a CSP entirely or allowing unsafe-inline in your script-src hits hard here, because those are the issues that actually get exploited.
Compliance — Headers that browsers and standards expect to see. Strict-Transport-Security, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. These are the table-stakes headers that every production site should have.
Best Practices — The extras that separate a good setup from a great one. Using strict-dynamic with nonces instead of allowlists. Setting report-uri or report-to so you know when violations happen. Having a tight default-src. These won't save you from a breach on their own, but they make your policy significantly more robust.
The scoring now properly weights critical issues versus minor gaps. Missing CSP entirely drops your Security score to the floor. Having CSP but with unsafe-inline still hurts, but less than having nothing at all. A missing Referrer-Policy is a compliance gap, not a security emergency — and the score reflects that.
The goal is simple: when you look at your scores, you should know exactly what to fix and in what order.
Domain History and Score Trends
This is the feature we're most excited about. Every domain you scan now has a dedicated history page at /results/yourdomain.com that shows how your security score has changed over time.
You get a visual score trend chart showing your progression across scans — so when you tighten up your CSP or add a missing header, you can see the improvement on your next scan. Below the chart, there's a full scan history table with grade badges, CSP status, and header counts for each scan.
This is especially useful if you're iterating on a Content Security Policy. CSP is notoriously hard to get right on the first try. The typical workflow is: scan your site, see what's missing, add a directive, deploy, scan again, find out you broke something, adjust, deploy again. Having a history page means you can track that whole process and make sure you're actually moving in the right direction.
It also helps if you're reporting to a team or a manager. Instead of saying "we improved our security headers," you can show a chart that proves it.
Analysis Engine Improvements
We rebuilt significant parts of the analysis engine. These are under-the-hood changes, but they make the results more accurate and more useful.
Better CSP parsing. The parser now handles edge cases that used to trip it up — multiple CSP headers on a single response, Content-Security-Policy-Report-Only detection, unusual whitespace and formatting, and directives with complex source expressions. If your server sends a CSP, we parse it correctly now.
Structured issue reporting. Every issue found during a scan now has a severity level: critical, high, medium, low, or informational. Critical issues are things like missing CSP or unsafe-inline in script-src. Informational items might be a suggestion to add report-to for monitoring. This makes it much easier to prioritize what to fix.
Smarter recommendations. Recommendations now adapt to what's actually in your policy. If you're already using nonces, we won't suggest switching to nonces. If you have strict-dynamic set, we'll note that your CDN allowlist entries are being ignored by supporting browsers (which is how strict-dynamic is supposed to work, but it surprises people). The goal is recommendations you can actually act on, not generic advice.
Faster scans. Scan times are noticeably faster. We optimized the request pipeline and parallelized parts of the analysis that were running sequentially. Most scans complete in a few seconds now.
What's Next
We have a clear roadmap for what's coming:
More header coverage. We're adding analysis for headers we don't currently cover in depth, including Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, and Cross-Origin-Resource-Policy. These are increasingly important for sites that need cross-origin isolation.
API access. A proper API so you can run scans programmatically and integrate HeaderTest into your CI/CD pipeline. Scan on every deploy, fail the build if your security score drops.
Scheduled monitoring. Set up a domain and get notified when your security headers change or your score drops. Useful for catching regressions after deploys or infrastructure changes.
Individual scans will always be free. Go scan your site and see where you stand.