What does Mozilla Observatory do?

Mozilla Observatory scans your site's HTTP headers, gives a letter grade (A+ to F), and provides recommendations. It is a checker — it identifies problems but does not generate the configuration to fix them.

What does HttpFixer do that Observatory does not?

HttpFixer generates the exact copy-paste configuration for your specific server stack — Nginx, Apache, Vercel, Cloudflare, Express, Caddy, or FastAPI. Observatory tells you HSTS is missing. HttpFixer gives you the add_header directive to add it.

Should I use both tools?

Yes — use Observatory for a quick grade and to understand your overall posture. Use HttpFixer when you need the actual configuration to fix what Observatory found.

HttpFixer → vs → Mozilla Observatory

HttpFixer vs Mozilla Observatory

Mozilla Observatory gives your site a letter grade. HttpFixer gives you the exact configuration to improve it — for your specific stack. Both are free. Here is how they compare.

Side-by-side comparison

Feature	Mozilla Observatory	HttpFixer
Scans security headers	Yes	Yes
Letter grade (A–F)	Yes	— (pass/fail per header)
Stack-specific fix config	No — recommendations only	Yes — Nginx, Vercel, Cloudflare, Express, Apache, Caddy, FastAPI
Stack detection from live headers	No	Yes — reads Server header to detect your stack
CORS preflight testing	No	Yes — CORSFixer sends real OPTIONS requests
OAuth error diagnosis	No	Yes — OAuthFixer with provider-specific fixes
CSP scanning from live URL	No	Yes — CSPFixer scans all resources your page loads
PageSpeed config generation	No	Yes — SpeedFixer via live PSI API
Mozilla brand and authority	High	— (independent tool)
Open source	Yes	Yes (MIT)
No signup required	Yes	Yes
Client-side processing	No — server-side	Yes — nothing sent to servers

The core difference

Mozilla Observatory is a checker. It tells you your grade and which headers are missing or misconfigured. It does not tell you what to paste into your nginx.conf to fix them.

HttpFixer is a fixer. After detecting which headers are missing, it reads the Server header from your response, identifies your stack, and generates the exact add_header directives, vercel.json headers block, or Cloudflare Transform Rule — ready to copy and paste.

Example: missing X-Frame-Options

	Observatory output	HttpFixer output
What you see	X-Frame-Options header not implemented — minus 20 points	Detected Nginx — here is your fix:
Config provided	Link to MDN documentation	`add_header X-Frame-Options "SAMEORIGIN" always;`

When to use Observatory

You want a standardized letter grade for stakeholders or compliance
You want Mozilla's official perspective on your security posture
You are researching your overall security level before starting fixes

When to use HttpFixer

You know you have a problem and need the exact config to fix it
You need stack-specific output for Nginx, Vercel, Cloudflare, or Express
You need to fix CORS errors, CSP violations, or OAuth failures — not just header presence
You want to go from failing Observatory to passing — with copy-paste configs

The workflow most developers use

Run Observatory to get a grade and understand the full picture. Then use HttpFixer to get the exact configs for each failing item. Observatory for diagnosis — HttpFixer for the fix.

Scan your headers → HeadersFixer Open Mozilla Observatory →

Also: HttpFixer vs securityheaders.com →