Applies to every public, documented MySSL endpoint:
GET /headers/check and everything under /api/v1/.
In April 2026, the securityheaders.com API was discontinued after the service changed owners. It had years of goodwill and thousands of integrations — and most of its users found out from a failing pipeline, because a year of notice on a blog is no notice at all to a cron job.
Many of our API users came to us directly from that shutdown. Telling them "trust us, we're different" would be worthless — trust in intentions is exactly what just failed them. So this page commits us to a mechanism instead. It is versioned, dated, and any change to it gets a changelog entry.
Anonymous GET /headers/check stays free for basic, on-demand checks, and free accounts keep a working API key. We may tune rate limits to control abuse, but free basic access is permanent. Paid tiers exist for volume, automation and retention — never as a wall in front of a basic result.
The /api/v1 prefix means what it says: we add endpoints and fields without breaking existing integrations. Backwards-incompatible changes only ever ship under a new version prefix.
If we ever deprecate a public endpoint, a documented, working replacement is live before the deprecation is announced. Migration is a choice you make on your schedule — never a scramble.
From deprecation announcement to shutdown of any public endpoint: a minimum of twelve months. Announced in the API changelog and by email to every affected API-key holder.
Deprecated endpoints will send Deprecation and Sunset HTTP headers on every response for the entire notice period — so a headless CI job or monitoring script can detect the change in-band, from the response itself. This is the specific failure of the shutdown that stranded everyone: we consider a deprecation your pipeline can't see to be no deprecation notice at all.
Your domain list and configuration are exportable. If you go, you go with your data and without tricks.
We will not promise that MySSL will never be acquired, never change, or never shut down. Nobody can honestly promise that, and the service you may have migrated from is proof. What we commit to is that the six mechanisms above bind any future of this product, including a wind-down: if MySSL were ever to shut down entirely, the free API would stay up for the full notice period, with in-band Sunset headers, and we would publish honest migration guidance to alternatives — including competitors.
A promise you can verify beats a promise you have to believe.
We're new and growing — your feedback helps us improve.