Your field service software holds a lot: customer names, home addresses, phone numbers, payment details, job history. If the platform you're trusting with that data isn't taking basic security seriously — your customers' information is at risk.
We ran a security header scan on the six biggest names in field service dispatch software: ServiceTitan, Jobber, HousecallPro, Workiz, FieldPulse, and FieldEdge. Security headers are one of the most basic, most visible indicators of how seriously a software company takes protecting the data that flows through their platform. They take about 10 minutes to set up correctly. And yet.
Here's what we found.
What Are Security Headers and Why Do They Matter?
Security headers are instructions that a website or app sends to your browser telling it how to handle your data. They prevent common attacks like clickjacking (someone embedding the app in a fake page to steal your login), MIME sniffing (tricking your browser into running malicious files), and cross-site scripting attacks that can steal session cookies or customer data.
They don't cost anything to implement. They're industry standard. Every serious software platform should have them. And they're publicly visible — anyone can check them in seconds using a free tool like securityheaders.com.
We scanned the app subdomain for each platform — that's where your actual customer data lives, where your technicians log in, where payments are processed. Not just the marketing homepage.
The Results
| Platform | Security Grade | Verdict |
|---|---|---|
| Vortech Pro | A | All critical headers present |
| ServiceTitan | A | Strong, minor gaps |
| Jobber | B | Adequate but missing headers |
| Workiz | D | Multiple critical headers missing |
| FieldPulse | D | Multiple critical headers missing |
| FieldEdge | D | Multiple critical headers missing |
| HousecallPro | F | Failing — significant exposure |
Four out of seven platforms — including HousecallPro, one of the most widely used field service apps in the country — are failing basic security checks on the very subdomain where your technicians log in and your customers' data is stored.
Platform by Platform
Vortech Pro — A
All five critical security headers are present and configured correctly. HSTS enforces HTTPS, X-Frame-Options blocks clickjacking, X-Content-Type-Options prevents MIME sniffing, Referrer-Policy controls data leakage between sites, and Permissions-Policy restricts unnecessary browser feature access.
ServiceTitan — A
ServiceTitan scores very well. At a $9.5B valuation you'd expect them to have this dialed in, and they mostly do. They're missing Permissions-Policy which controls browser features like camera and microphone access — a newer header, but one that matters for field apps where technicians use cameras on the job.
Jobber — B
Jobber passes the basics but is missing some headers that have been industry standard for years. A B grade is adequate but not impressive for a platform handling payment data and customer home addresses across hundreds of thousands of jobs. If you're looking at Jobber alternatives, this is one more thing to consider.
Workiz — D
A D grade means multiple critical security headers are missing from the platform where your technicians log in and customer data is stored. Workiz markets heavily to locksmiths and HVAC companies — trades that handle sensitive residential access. Their customers deserve better.
FieldPulse — D
Same story as Workiz. FieldPulse positions itself as a modern, mobile-first platform. Missing basic security headers on your app subdomain is not a modern approach to protecting customer data.
FieldEdge — D
FieldEdge is used heavily by HVAC companies. The platform has been around for years. There's no excuse for a D grade on security headers in 2026 — this is not new technology, it takes minutes to configure, and it protects your customers' home addresses and service histories.
HousecallPro — F
HousecallPro is one of the most widely used field service platforms in North America. They have raised over $65 million in funding. And their app subdomain — where your technicians log in, where customers get billed, where job records are stored — is failing basic security checks.
An F grade on securityheaders.com means multiple critical protections are missing. For a platform handling payment data, customer home addresses, and technician GPS locations — this is not acceptable.
What This Means for Your Business
If your dispatch software gets breached and customer data leaks, that's your business on the line — not the software company's. Your customers trusted you with their address. Their credit card was charged through your tech's phone. Your name is on that invoice.
Security headers are not the only measure of a platform's security — there are many layers to data protection. But they are the most visible, easiest-to-check, zero-cost indicator of whether a company is paying attention to security basics. A platform that can't get this right is a platform that may be cutting corners elsewhere too.
When you're choosing dispatch software for your locksmith business, HVAC company, or plumbing operation — ask the vendor about their security posture. Check their app subdomain yourself at securityheaders.com. It takes 30 seconds and tells you a lot about how seriously they take protecting your data.
Why We Built Vortech Pro Differently
Vortech Pro is built by a solo developer — not a $65M funded startup. And yet our app subdomain scores an A on security headers while HousecallPro scores an F. That's not a coincidence. It's a choice.
Every technician login, every job record, every in-field card payment processed through Stripe Connect is protected by a platform that takes security seriously from day one. We also score 99/100 on Google PageSpeed — meaning the app loads fast on mobile, which matters when your tech is standing on a customer's doorstep trying to process a payment.
Fast. Secure. Built for trades. That's what Vortech Pro is.
Try the Most Secure Field Service Platform
30-day free trial. No credit card required. Works for locksmiths, HVAC, plumbers, electricians and 25+ other trades.
START FREE TRIAL →How to Check Your Current Software
If you're already using a field service platform and want to check it yourself, go to securityheaders.com and enter your platform's app URL. Look for the grade at the top. Anything below a B on the subdomain where your data lives is a conversation worth having with your vendor.
You can also check your own website while you're there — if you have a customer portal, booking page, or payment link, those should be secured too.
