Defaults.Exposed

Defaults.ExposedCompare › SecurityHeaders.com

Defaults.Exposed vs SecurityHeaders.com: beyond HTTP headers

SecurityHeaders.com is the classic, focused grader for HTTP response headers — HSTS, CSP, X-Frame-Options and friends. Defaults.Exposed covers those same web headers but rolls them together with email authentication, TLS and DNS into a single A–F grade for your domain, plus a percentile and per-failure fixes.

Feature comparison

FeatureDefaults.ExposedSecurityHeaders.com
HTTP security header gradeYes (part of the score)Yes — its specialty
Email authentication (SPF / DKIM / DMARC)YesNo
TLS / certificate checksYesNo
DNS checks (DNSSEC, CAA, nameservers)YesNo
Single grade across all of the aboveYes — one A–FHeaders only
Percentile vs a domain populationYesNo
Per-failure fix guides + per-host setupYesHeader reference
Result modelOwner-verified self-check (private)Open public scan
PriceFreeFree

Comparison reflects publicly documented features at time of writing; tools change, so check each vendor for the latest. We compare capabilities only and never publish any organisation's per-domain grade.

The short version

SecurityHeaders.com popularised the idea of a letter grade for web security, focused tightly on HTTP response headers. It’s fast, clear, and still the reference many developers reach for to check their Content-Security-Policy or confirm HSTS is set.

Defaults.Exposed takes the same letter-grade idea and applies it to the whole domain. Your web headers are in there — but so is whether your email can be forged (SPF, DKIM, DMARC), whether your TLS and certificate are sound, and whether your DNS is locked down (DNSSEC, CAA). The result is one A–F grade that reflects how a domain actually gets attacked, not just one layer of it, plus a percentile and a fix for everything that fails.

Headers are necessary but not sufficient. If you want the full posture in a single score, that’s the gap we fill.

Frequently asked questions

Does Defaults.Exposed check the same headers as SecurityHeaders.com?

Yes — HSTS, Content-Security-Policy, X-Frame-Options / clickjacking protection, MIME-sniffing and referrer policy are all part of the grade. The difference is we don't stop at headers; email authentication, TLS and DNS count too.

Should I still use SecurityHeaders.com?

It's a great focused reference if all you care about is HTTP headers. If you want your headers scored in the context of your whole domain's security — including whether your email can be spoofed — Defaults.Exposed gives you the complete picture in one grade.

Why does email authentication matter if I only care about my website?

Because the most common real-world attack on a small business isn't a hacked website — it's a spoofed email using your domain. A perfect header grade doesn't stop that; SPF and DMARC do. A single grade keeps both in view.

See your own domain graded A–F across every check in one place — privately, free, owner-only. Run the free check →

All comparisons → · How we grade →