Snyk discontinued the securityheaders.com API in April 2026. MySSL returns the same A+→F grade over a free JSON API — change one URL and your CI keeps working.
No card. Anonymous calls work today at 400/day with no signup.
securityheaders.com was created by Scott Helme, acquired by Probely (June 2023), and Probely was then acquired by Snyk (2025). Probely gave about a year's notice in April 2025, and the programmatic API was discontinued in April 2026.
The free web scanner at securityheaders.com still works — but the API endpoint is gone, so CI/CD pipelines that gated deploys on a header grade, and dashboards that pulled grades, stopped working. This page is the migration path. (Discussed on Hacker News.)
- curl -H "x-api-key: KEY" \ - "https://api.securityheaders.com/?q=myssl.info&hide=on&followRedirects=on" + curl "https://myssl.info/headers/check?q=myssl.info"
Both APIs return the letter grade on the X-Grade response header, so CI that read X-Grade keeps working unchanged. Live response headers for myssl.info today:
HTTP/1.1 200 OK X-Grade: A X-Grade-Capped: A Content-Type: application/json
The old API returned summary.grade + summary.headers. MySSL keeps that shape and adds the cap signal, warnings and the raw headers. Real, unedited response for myssl.info:
{
"grade": "A",
"gradeCapped": true,
"gradeCapReason": "Grade capped at A because the Content-Security-Policy
contains 'unsafe-inline' and 'unsafe-eval' in the
script-src directive...",
"headersPresent": ["Strict-Transport-Security","Content-Security-Policy",
"X-Frame-Options","X-Content-Type-Options",
"Referrer-Policy","Permissions-Policy"],
"headersMissing": [],
"upcomingHeaders": [
{"header":"Cross-Origin-Embedder-Policy","present":false},
{"header":"Cross-Origin-Opener-Policy","present":false},
{"header":"Cross-Origin-Resource-Policy","present":false}
],
"summary": { "grade":"A", "site":"myssl.info", "headers":{ ... } },
"myssl": { "deeper_score":93, "https_redirect":true }
}
Try it live, no signup:
/headers/check?q=myssl.info ·
github.com (returns B, Permissions-Policy missing). Full reference:
API docs & field mapping →
MySSL grades the same six core headers on the same A+ → F scale: Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy.
It reproduces the well-known securityheaders.com signal: a grade is capped at A when your CSP contains 'unsafe-inline' or 'unsafe-eval' in script-src — exactly what you see for myssl.info above. The gradeCapped boolean and X-Grade-Capped header make that machine-readable.
securityheaders.com gated its extra checks. MySSL runs them free, as a separate secondary score in the myssl block — it never moves the headline grade:
Authorization: Bearer <key>. A free account includes it.Need automation volume, scheduled re-scans, history and grade-drop alerts to Slack/Discord/webhook? That's what an account adds — the thing the old API never offered.
Yes. The programmatic API was discontinued in April 2026 by Snyk (which acquired the operator, Probely, in 2025); notice was given about a year earlier. The free web scanner still works, but the API endpoint CI/CD and dashboards called is gone.
MySSL's GET https://myssl.info/headers/check?q=DOMAIN. Same A+→F grade on the X-Grade header and as JSON. 400/day anonymous per IP; 2,000/day with a free key.
Yes — the same six core headers on the same scale, including the "Grade capped at A" behaviour for a CSP with unsafe-inline/unsafe-eval in script-src.
Swap https://api.securityheaders.com/?q=example.com for https://myssl.info/headers/check?q=example.com. Read X-Grade (or JSON .grade) as before. No x-api-key needed anonymously; for volume send Authorization: Bearer <key>.
A free deeper analysis (HTTPS redirect, cookie flags, mixed content, tech disclosure, security.txt) in the JSON myssl block, as a secondary score that never changes the headline grade.
We're new and growing — your feedback helps us improve.