Mozilla HTTP Observatory
The Mozilla HTTP Observatory is an online scanner that evaluates a websites implementation of security‑related HTTP response headers. By issuing a public report with a numeric score and grade, it guides developers toward hardening their sites against common attacks such as XSS, MiTM, and data leakage. The tool also records historical scans, enabling trend analysis over time.
History and Evolution
First launched in 2016 by security engineer April King, the Observatory began as an internal utility for Mozilla developers. Recognizing a widespread lack of header adoption, the team released a public web interface that quickly attracted a global audience. Since then, more than 6.9 million domains have been scanned a total of 47 million times, and the test suite has been expanded to reflect evolving standards.
Initial Release
The early version focused on a core set of headers, providing a simple score and basic remediation links.
Growth and Maintenance
The Infrastructure Security Team continuously added new checks and retired obsolete ones, keeping the tool aligned with current best practices.
Migration to MDN
In July 2024 the Observatory was relocated to MDN to reach a broader developer audience and benefit from MDNs documentation framework. The move included a refreshed user interface, updated test definitions, and tighter integration with MDNs practical security guides.
Scope of Tests
The scanner assesses a range of security headers that mitigate common web threats. It verifies the presence and correct configuration of HTTP Strict Transport Security, ensuring browsers enforce HTTPS for the specified duration. It also checks Content Security Policy directives, X-Content-Type-Options, and frame‑ancestors settings, among others, to reduce risks of cross‑site scripting, content sniffing, and click‑jacking.
Header Categories
Key categories include transport security, content security, and cookie attributes.
Known Limitations
While the Observatory covers many preventive measures, it does not detect vulnerable software versions, SQL injection flaws, or insecure password storage. Scores reflect header compliance only and should be complemented with broader security testing.
API Access
Developers can programmatically request scans via the public API, which currently routes through the legacy test backend. Results may differ slightly from the web UI until the API is fully migrated to the new test suite.