Security headers
GET /api/v1/security-headers
Grade a page's HTTP security headers — HSTS, CSP, X-Frame-Options and the rest — like securityheaders.com, plus mixed-content and cache/compression checks. Something the SEO tools don't offer for free.
Query parameters
| Name | Type | Description |
|---|---|---|
url required | string | The URL to check. |
key | string | Your API key. Optional for light use; raises your rate limit. |
Request
Response
200 · application/json
- {
- "url": "https://example.com",
- "https": true,
- "grade": "E",
- "score": 12,
- "headers": {
- "strictTransportSecurity": null,
- "contentSecurityPolicy": null,
- "xContentTypeOptions": "nosniff",
- "xFrameOptions": null,
- "referrerPolicy": null,
- "permissionsPolicy": null,
- "crossOriginOpenerPolicy": null,
- "crossOriginEmbedderPolicy": null,
- "crossOriginResourcePolicy": null
- },
- "cspWeaknesses": [],
- "missing": ["strictTransportSecurity","contentSecurityPolicy","xFrameOptions","referrerPolicy"],
- "transport": {
- "compression": "br",
- "cacheControl": "max-age=3600",
- "etag": "\"abc\"",
- "lastModified": null,
- "server": "cloudflare"
- },
- "issues": {
- "noHsts": true,
- "noCsp": true,
- "mixedContentCount": 0,
- "mixedContent": [],
- "unsafeTargetBlank": 2
- }
- }
Response fields
| Field | Type | Description |
|---|---|---|
https | boolean | Whether the page was served over HTTPS. |
grade | string | Overall grade A–F from the weighted presence of the core headers. Serving over plain HTTP caps the grade hard. |
score | integer | 0–100 score behind the grade — weighted presence of the core security headers, with only partial credit for a weak CSP. |
headers.strictTransportSecurity | string | The Strict-Transport-Security (HSTS) header value, or null if absent. |
headers.contentSecurityPolicy | string | The Content-Security-Policy header value, or null. |
headers.xContentTypeOptions | string | The X-Content-Type-Options header (e.g. nosniff), or null. |
headers.xFrameOptions | string | The X-Frame-Options header, or null. |
headers.referrerPolicy | string | The Referrer-Policy header, or null. |
headers.permissionsPolicy | string | The Permissions-Policy (or legacy Feature-Policy) header, or null. |
headers.crossOriginOpenerPolicy | string | The Cross-Origin-Opener-Policy header, or null. |
headers.crossOriginEmbedderPolicy | string | The Cross-Origin-Embedder-Policy header, or null. |
headers.crossOriginResourcePolicy | string | The Cross-Origin-Resource-Policy header, or null. |
cspWeaknesses | array | Flags for a weak CSP — unsafe-inline, unsafe-eval, missing default-src/script-src, or wildcard sources. |
missing | array | The core headers that are absent. |
transport.compression | string | The Content-Encoding (e.g. br, gzip), or null. May read null because our fetcher requests identity encoding. |
transport.cacheControl | string | The Cache-Control header, or null. |
transport.etag | string | The ETag header, or null. |
transport.lastModified | string | The Last-Modified header, or null. |
transport.server | string | The Server header, or null. |
issues.mixedContent | array | HTTP sub-resources loaded on an HTTPS page (insecure mixed content). |
issues.unsafeTargetBlank | integer | Count of target="_blank" links missing rel="noopener". |
For full rendered performance, use Lighthouse. See Errors for status codes.