type: service
status: active
timestamp: 2026-06-20
tags: [security, audit, mozilla, ci, primary]

Mozilla Observatory

Comprehensive security auditor — headers + TLS + cookies + redirects, run in CI

Mozilla Observatory

Role

Broader security audit than securityheaders.com — alongside header grading, it checks TLS configuration, redirect chains, cookie flags, and HTTPS-redirection. Run as a CI gate on every PR; PR fails if Observatory score drops below A (85+).

Free tier

Card / subscription required?

NO. Mozilla project, no sign-up, no card.

How CI consumes it

- name: Audit (Mozilla Observatory)
  run: |
    npx @mdn/mdn-http-observatory "$PREVIEW_HOST" --format=json > obs.json
    score=$(jq -r '.scan.score' obs.json)
    grade=$(jq -r '.scan.grade' obs.json)
    echo "Observatory: $grade ($score)"
    [ "$score" -ge 85 ] || exit 1

$PREVIEW_HOST is the Cloudflare Pages preview hostname (no scheme — Observatory adds its own probes).

What it checks (beyond headers)

Alternatives

Swap cost

Low — both Mozilla Observatory and securityheaders.com grade the same input. Already running both for redundancy; dropping one preserves the gate.

Why this is our pick

Broader than securityheaders.com (TLS + redirects + cookies in one run), free CLI runs in CI without an API key, open-source so no vendor lock-in. Mozilla’s rubric tends to be stricter than securityheaders.com’s — running both means a PR that scores A on both is unambiguously well-configured.

Cross-refs


Edit on GitHub · Back to index