AmIHackable vs Mozilla Observatory

Let me be upfront: Mozilla Observatory is an excellent tool. It's free, open source, built by Mozilla, and it does exactly what it says. If you're checking your security headers, it's the gold standard.

So why did I build something different? Because headers are only one piece of the puzzle.

What I actually found

I ran 229 sites through both tools and compared the results. The correlation between AmIHackable and Observatory scores was 61%. That means roughly 4 out of 10 sites got significantly different scores from each tool.

Why? Because they're testing different things.

Observatory tests around 10 things, all focused on HTTP security headers. AmIHackable tests 50+ things across a much broader surface: exposed files, JavaScript secrets, SSL configuration, cookie security, email authentication (SPF/DMARC), Supabase and Firebase permissions, CORS misconfigurations, and more.

A concrete example

Take a site with perfect security headers. CSP locked down, HSTS enabled, X-Frame-Options set. Observatory gives it an A+. Deserved.

But that same site has an exposed .env file with database credentials in it. Observatory has no way to know. It doesn't check for that. AmIHackable does, and it flags it immediately.

Another example: playdigious.com scored A+ on Observatory. When we ran it through AmIHackable, we caught issues that header checks simply can't see.

This isn't a criticism of Observatory. It's doing its job perfectly. It's just a narrower job than most people assume.

Side-by-side comparison

| Feature | Mozilla Observatory | AmIHackable | |---|---|---| | HTTP security headers | Yes (core focus) | Yes | | Content Security Policy | Detailed analysis | Basic check | | Exposed files (.env, .git, backups) | No | Yes | | JavaScript secrets in source | No | Yes | | SSL/TLS configuration | No | Yes | | Cookie security flags | No | Yes | | Email auth (SPF/DMARC/DKIM) | No | Yes | | Supabase/Firebase permissions | No | Yes | | CORS misconfiguration | No | Yes | | Open ports and services | No | Yes | | AI-generated fix prompts | No | Yes | | Price | Free | Scan free, report $9 | | Open source | Yes | No | | Setup required | None | None |

When to use Observatory

Use Mozilla Observatory when you want to:

• Audit your security headers specifically. Observatory gives you detailed, actionable feedback on each header. It's more granular than AmIHackable for this particular area.
• Follow Mozilla's recommendations. Their scoring is well-documented and widely respected.
• Get a free, no-strings-attached check. It's open source. No account, no payment, no catch.

If your main concern is browser-level protections (clickjacking, XSS via missing CSP, protocol downgrade attacks), Observatory is your tool.

When to use AmIHackable

Use AmIHackable when you want to:

• Check what's actually exposed. Files, secrets, config issues, backend permissions. The stuff that doesn't show up in headers.
• Get a broader picture in one scan. 50+ checks across your entire public attack surface, not just one category.
• Get fix instructions you can actually use. Each finding comes with an AI-generated prompt you can paste into your coding tool to fix the issue.

If you just shipped a project and want to know "did I leave anything embarrassing in the open," that's what AmIHackable is for.

The honest take

Observatory and AmIHackable are complementary. Run Observatory to nail your headers. Run AmIHackable to catch everything else. The 39% gap in our correlation study? That's the stuff one tool catches and the other doesn't.

Neither tool replaces a full penetration test. But together, they cover a lot more ground than either one alone.

Scan your site and compare the results yourself.