diff --git a/README.md b/README.md
index 2045d4a..b870f17 100644
--- a/README.md
+++ b/README.md
@@ -24,7 +24,7 @@
 sif is a modular pentesting toolkit written in go. it's designed to be fast, concurrent, and extensible. run multiple scan types against targets with a single command.
 
 ```bash
-./sif -u https://example.com -all
+./sif -u https://example.com -headers -sh -cms -framework -git
 ```
 
 ## install
@@ -56,7 +56,7 @@ environment.systemPackages = [ pkgs.sif ];
 nix profile install nixpkgs#sif
 
 # or just run it without installing
-nix run nixpkgs#sif -- -u https://example.com -all
+nix run nixpkgs#sif -- -u https://example.com -headers -sh -framework
 ```
 
 the repo also ships a flake if you want to build from source:
@@ -125,8 +125,8 @@ makepkg -si
 # framework detection (with cve lookup)
 ./sif -u https://example.com -framework
 
-# everything
-./sif -u https://example.com -all
+# a broad sweep
+./sif -u https://example.com -dirlist small -dnslist small -ports common -headers -sh -cms -framework -git -whois
 ```
 
 run `./sif -h` for all options.
@@ -147,6 +147,7 @@ sif has a modular architecture. modules are defined in yaml and can be extended
 | `-js` | javascript analysis |
 | `-c3` | cloud storage misconfiguration |
 | `-headers` | http header analysis |
+| `-sh` | security header analysis (missing/weak headers) |
 | `-st` | subdomain takeover detection |
 | `-cms` | cms detection |
 | `-whois` | whois lookups |
diff --git a/docs/development.md b/docs/development.md
index 6c839f8..0b3ef69 100644
--- a/docs/development.md
+++ b/docs/development.md
@@ -4,7 +4,7 @@ setting up a development environment for sif.
 
 ## prerequisites
 
-- go 1.23 or later
+- go 1.25 or later
 - git
 - make
 
@@ -28,8 +28,7 @@ sif/
 │   ├── logger/       # logging utilities
 │   ├── modules/      # module system
 │   ├── scan/         # built-in scans
-│   ├── styles/       # terminal styling
-│   └── worker/       # worker pool
+│   └── styles/       # terminal styling
 ├── modules/          # built-in yaml modules
 │   ├── http/         # http-based modules
 │   ├── info/         # information gathering
diff --git a/docs/installation.md b/docs/installation.md
index 05165a1..29b26b1 100644
--- a/docs/installation.md
+++ b/docs/installation.md
@@ -36,7 +36,7 @@ download `sif-windows-amd64.exe` from releases and add to your PATH.
 
 ## from source
 
-requires go 1.23+
+requires go 1.25+
 
 ```bash
 git clone https://github.com/dropalldatabases/sif.git
diff --git a/docs/scans.md b/docs/scans.md
index 08c5493..6ceadff 100644
--- a/docs/scans.md
+++ b/docs/scans.md
@@ -98,16 +98,27 @@ analyzes javascript files for security issues.
 
 ## http headers (-headers)
 
-analyzes security headers.
+dumps the target's response headers.
+
+## security headers (-sh)
+
+flags missing or weak security headers and headers that leak server internals.
 
 ### checks
 
+- strict-transport-security (https only)
 - content-security-policy
 - x-frame-options
-- x-content-type-options
-- strict-transport-security
-- x-xss-protection
+- x-content-type-options (expects nosniff)
+- referrer-policy
 - permissions-policy
+- cross-origin-opener-policy
+
+### flagged as disclosure
+
+- server
+- x-powered-by
+- x-aspnet-version / x-aspnetmvc-version
 
 ## cms detection (-cms)
 
diff --git a/docs/usage.md b/docs/usage.md
index cb5480c..1616617 100644
--- a/docs/usage.md
+++ b/docs/usage.md
@@ -95,12 +95,20 @@ scopes: `common` (top ports), `full` (all ports)
 
 ### http headers
 
-`-headers` - analyze security headers
+`-headers` - dump the target's response headers
 
 ```bash
 ./sif -u https://example.com -headers
 ```
 
+### security headers
+
+`-sh` - flag missing/weak security headers (hsts, csp, x-frame-options, ...) and headers that leak server internals
+
+```bash
+./sif -u https://example.com -sh
+```
+
 ### cloud storage
 
 `-c3` - check for cloud storage misconfigurations