Other endpoints

Scan a URL's HTTP security headers

GET

https://security-headers-api.p.rapidapi.com

/v1/scan

Fetches the target URL with a GET request (following redirects), inspects the response headers, and returns a weighted 0-100 security score, an A+ to F grade, the present/missing header map, and a severity-sorted list of recommendations.

Scan a URL's HTTP security headers › query Parameters

url

string · required

Target page URL. Accepts values with or without a scheme (https:// is assumed when omitted). Must resolve to a valid http(s) URL with a host.

Example: https://example.com

timeout_ms

integer · min: 1000 · max: 15000

Upstream fetch timeout in milliseconds. Default 10000, clamped to the range 1000..15000.

Example: 10000

Default: 10000

Scan a URL's HTTP security headers › Responses

Scan completed successfully.

ScanResult

url

string · required

The normalized requested URL.

Example: https://example.com

final_url

string · required

The URL after following redirects.

Example: https://example.com/

status

integer · required

HTTP status code of the final response.

Example: 200

score

integer · min: 0 · max: 100 · required

Weighted security score.

Example: 72

grade

string · enum · required

Letter grade derived from the score.

Enum values:

A+

Example: C

object · required

Canonical header name -> returned value for headers that were present.

Example: {"Strict-Transport-Security":"max-age=31536000; includeSubDomains; preload","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN"}

missing

string[] · required

Canonical names of evaluated headers that were absent.

Example: ["Content-Security-Policy","Permissions-Policy"]

Recommendation[] · required

Severity-sorted list of remediation guidance.

GET/v1/scan

curl 'https://security-headers-api.p.rapidapi.com/v1/scan?url=<string>' \
  --header 'X-RapidAPI-Key: <api-key>'

Example Responses

{
  "url": "https://example.com",
  "final_url": "https://example.com/",
  "status": 200,
  "score": 72,
  "grade": "C",
  "present": {
    "Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
    "X-Content-Type-Options": "nosniff",
    "X-Frame-Options": "SAMEORIGIN",
    "Referrer-Policy": "strict-origin-when-cross-origin",
    "Server": "cloudflare"
  },
  "missing": [
    "Content-Security-Policy",
    "Permissions-Policy",
    "Cross-Origin-Opener-Policy",
    "Cross-Origin-Resource-Policy"
  ],
  "recommendations": [
    {
      "title": "Add a Content-Security-Policy",
      "severity": "High",
      "description": "No Content-Security-Policy header was returned. CSP is the strongest defense against cross-site scripting (XSS) and data-injection attacks.",
      "header": "Content-Security-Policy"
    },
    {
      "title": "Add Cross-Origin-Opener-Policy",
      "severity": "Medium",
      "description": "Cross-Origin-Opener-Policy: same-origin isolates your browsing context group and mitigates cross-window attacks.",
      "header": "Cross-Origin-Opener-Policy"
    },
    {
      "title": "Server header reveals software details",
      "severity": "Info",
      "description": "The Server header discloses the web server in use. Where possible, suppress or genericize it to reduce fingerprinting.",
      "header": "Server"
    }
  ]
}

json

application/json

Scan a URL's HTTP security headers

GET

https://security-headers-api.p.rapidapi.com

/v1/scan

Scan a URL's HTTP security headers › query Parameters

url

string · required

Target page URL. Accepts values with or without a scheme (https:// is assumed when omitted). Must resolve to a valid http(s) URL with a host.

Example: https://example.com

timeout_ms

integer · min: 1000 · max: 15000

Upstream fetch timeout in milliseconds. Default 10000, clamped to the range 1000..15000.

Example: 10000

Default: 10000

Scan a URL's HTTP security headers › Responses

Scan completed successfully.

ScanResult

url

string · required

The normalized requested URL.

Example: https://example.com

final_url

string · required

The URL after following redirects.

Example: https://example.com/

status

integer · required

HTTP status code of the final response.

Example: 200

score

integer · min: 0 · max: 100 · required

Weighted security score.

Example: 72

grade

string · enum · required

Letter grade derived from the score.

Enum values:

A+

Example: C

object · required

Canonical header name -> returned value for headers that were present.

Example: {"Strict-Transport-Security":"max-age=31536000; includeSubDomains; preload","X-Content-Type-Options":"nosniff","X-Frame-Options":"SAMEORIGIN"}

missing

string[] · required

Canonical names of evaluated headers that were absent.

Example: ["Content-Security-Policy","Permissions-Policy"]

Recommendation[] · required

Severity-sorted list of remediation guidance.