Defaults.Exposed › Compare › SecurityHeaders.com
Defaults.Exposed vs SecurityHeaders.com: beyond HTTP headers
SecurityHeaders.com is the classic, focused grader for HTTP response headers — HSTS, CSP, X-Frame-Options and friends. Defaults.Exposed covers those same web headers but rolls them together with email authentication, TLS and DNS into a single A–F grade for your domain, plus a percentile and per-failure fixes.
Feature comparison
| Feature | Defaults.Exposed | SecurityHeaders.com |
|---|---|---|
| HTTP security header grade | Yes (part of the score) | Yes — its specialty |
| Email authentication (SPF / DKIM / DMARC) | Yes | No |
| TLS / certificate checks | Yes | No |
| DNS checks (DNSSEC, CAA, nameservers) | Yes | No |
| Single grade across all of the above | Yes — one A–F | Headers only |
| Percentile vs a domain population | Yes | No |
| Per-failure fix guides + per-host setup | Yes | Header reference |
| Result model | Owner-verified self-check (private) | Open public scan |
| Price | Free | Free |
Comparison reflects publicly documented features at time of writing; tools change, so check each vendor for the latest. We compare capabilities only and never publish any organisation's per-domain grade.
The short version
SecurityHeaders.com popularised the idea of a letter grade for web security, focused tightly on HTTP response headers. It’s fast, clear, and still the reference many developers reach for to check their Content-Security-Policy or confirm HSTS is set.
Defaults.Exposed takes the same letter-grade idea and applies it to the whole domain. Your web headers are in there — but so is whether your email can be forged (SPF, DKIM, DMARC), whether your TLS and certificate are sound, and whether your DNS is locked down (DNSSEC, CAA). The result is one A–F grade that reflects how a domain actually gets attacked, not just one layer of it, plus a percentile and a fix for everything that fails.
Headers are necessary but not sufficient. If you want the full posture in a single score, that’s the gap we fill.
Frequently asked questions
Does Defaults.Exposed check the same headers as SecurityHeaders.com?
Yes — HSTS, Content-Security-Policy, X-Frame-Options / clickjacking protection, MIME-sniffing and referrer policy are all part of the grade. The difference is we don't stop at headers; email authentication, TLS and DNS count too.
Should I still use SecurityHeaders.com?
It's a great focused reference if all you care about is HTTP headers. If you want your headers scored in the context of your whole domain's security — including whether your email can be spoofed — Defaults.Exposed gives you the complete picture in one grade.
Why does email authentication matter if I only care about my website?
Because the most common real-world attack on a small business isn't a hacked website — it's a spoofed email using your domain. A perfect header grade doesn't stop that; SPF and DMARC do. A single grade keeps both in view.
See your own domain graded A–F across every check in one place — privately, free, owner-only. Run the free check →