status: active
timestamp: 2026-06-20
tags: [security, audit, mozilla, ci, primary]
Mozilla Observatory
Comprehensive security auditor — headers + TLS + cookies + redirects, run in CI
Mozilla Observatory
Role
Broader security audit than securityheaders.com — alongside header grading, it checks TLS configuration, redirect chains, cookie flags, and HTTPS-redirection. Run as a CI gate on every PR; PR fails if Observatory score drops below A (85+).
Free tier
- Free CLI (
@mdn/mdn-http-observatoryon npm) - Free hosted UI at https://observatory.mozilla.org/
- No rate limit for CI use (the CLI runs locally; no API call required)
- Open-source (MPL-2.0) — self-host fallback if Mozilla shuts the hosted UI
Card / subscription required?
NO. Mozilla project, no sign-up, no card.
How CI consumes it
- name: Audit (Mozilla Observatory)
run: |
npx @mdn/mdn-http-observatory "$PREVIEW_HOST" --format=json > obs.json
score=$(jq -r '.scan.score' obs.json)
grade=$(jq -r '.scan.grade' obs.json)
echo "Observatory: $grade ($score)"
[ "$score" -ge 85 ] || exit 1
$PREVIEW_HOST is the Cloudflare Pages preview hostname (no
scheme — Observatory adds its own probes).
What it checks (beyond headers)
- TLS cipher suites + Forward Secrecy
- HTTPS redirection (
http://→https://chain length) - HSTS preload eligibility
- Subresource Integrity for inline scripts (warning, not failing)
- Cookie flags (Secure / HttpOnly / SameSite)
- Cross-origin / referrer policies
- Public-Key-Pinning (deprecated; scored neutral)
Alternatives
- securityheaders.com — sibling, headers- only. We run both.
- Hardenize — paid past 1 domain.
- testssl.sh — TLS-only, not header-aware.
- ssllabs.com — TLS-only, slow scans, no JSON API.
Swap cost
Low — both Mozilla Observatory and securityheaders.com grade the same input. Already running both for redundancy; dropping one preserves the gate.
Why this is our pick
Broader than securityheaders.com (TLS + redirects + cookies in one run), free CLI runs in CI without an API key, open-source so no vendor lock-in. Mozilla’s rubric tends to be stricter than securityheaders.com’s — running both means a PR that scores A on both is unambiguously well-configured.
Cross-refs
- security services index
- Cloudflare _headers — what we’re auditing
- securityheaders.com — sibling auditor
- Security headers strategy decision
- No card-on-file rule