SecHead
Scan a siteContact Us
FAQ Illustration

Frequently Asked Questions

Everything you need to know about how SecHead works, how grading is calculated, what data we collect, and more.

What counts as a good grade?
An A or A+ grade means your site has all the essential security headers correctly configured. A+ requires 95/100 or higher. A covers 80-94. B and C typically mean one or two headers are missing. D, E, or F indicate significant gaps.
Why might my grade drop on a re-scan?
A CDN or proxy stripping headers, a server config change, a caching layer returning an older response, or a deployment removing header configuration. Use the Raw Headers section to compare.
Do you store the sites I scan?
Yes - domain, grade, score, headers, warnings and timestamp are stored to power Recent Scans, Hall of Fame/Shame, and permanent /report/[domain] pages. Raw IP addresses are never stored.
What data do you collect?
The domain and URL you scan, your server HTTP headers, the grade and score, and a hashed IP for rate limiting. We do not sell data or collect personal information beyond this.
How does rate limiting work?
10 free scans per IP per hour. If you hit the limit you will see a message with the reset time. Your raw IP is never stored.
Can I use SecHead in my CI/CD pipeline?
Yes. POST to /api/scan with body { url: "https://yoursite.com" }. The response includes grade, score, warnings, and raw headers as JSON.
Why does SecHead cap my grade at A if I have unsafe-inline?
The unsafe-inline keyword disables CSP primary XSS defence - it allows any inline script to run, including injected ones. A+ requires CSP that genuinely blocks XSS.
What are the upcoming headers in my report?
Cross-Origin-Opener-Policy (COOP), Cross-Origin-Embedder-Policy (COEP), and Cross-Origin-Resource-Policy (CORP) appear as recommendations. Not yet scored but worth adding.
Why do some headers not appear in my scan results?
SecHead checks a specific set of security headers. Non-security headers like Cache-Control appear in Raw Headers but not in the scored analysis.
Is this tool affiliated with any security company?
No. SecHead is an independent tool built by Seven Labs. Not affiliated with Google, Mozilla, or any external security firm.

Still have questions? Email us or check out our complete security headers checklist.