# Security Headers API > Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache. ## Authentication All requests require your oanor API key in the `x-oanor-key` header. Get one at https://www.oanor.com/developer/keys. ```bash curl -H "x-oanor-key: oanor_live_…" "https://api.oanor.com/secheaders-api/..." ``` ## Pricing - **Free** (Free) — 2,520 calls/Mo, 2 req/s - **Starter** ($7/Mo) — 50,500 calls/Mo, 8 req/s - **Pro** ($22/Mo) — 252,000 calls/Mo, 20 req/s - **Mega** ($59/Mo) — 910,000 calls/Mo, 50 req/s ## Endpoints ### Security Headers #### `GET /v1/analyze` — Grade a site's security headers **Parameters:** - `url` (query, required, string) — URL to analyse Example: `https://example.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/secheaders-api/v1/analyze?url=https%3A%2F%2Fexample.com" ``` **Response:** ```json { "data": { "url": "https://example.com/", "grade": "F", "score": 0, "status": 200, "missing": [ { "advice": "Enforce HTTPS with HSTS (e.g. max-age=31536000; includeSubDomains).", "header": "Strict-Transport-Security" }, { "advice": "Define a CSP to mitigate XSS and data-injection.", "header": "Content-Security-Policy" }, { "advice": "Set 'nosniff' to stop MIME-type sniffing.", "header": "X-Content-Type-Options" }, { "advice": "Set DENY/SAMEORIGIN (or CSP frame-ancestors) to prevent clickjacking.", "header": "X-Frame-Options" }, { "advice": "Set a Referrer-Policy (e.g. strict-origin-when-cross-origin).", "header": "Referrer-Policy" }, { "advice": "Restrict powerful features with a Permissions-Policy.", "header": "Permissions-Policy" }, { "advice": "Set COOP (e.g. same-origin) for cross-origin isolation.", "header": "Cross-Origin-Opener-Policy" } ], "percent": 0, "present": [], "summary": "0/7 key security headers present; grade F (0%)", "final_url": "https://example.com/", "max_score": 100, "i …(truncated, see openapi.json for full schema) ``` #### `GET /v1/headers` — All raw response headers **Parameters:** - `url` (query, required, string) — URL to fetch Example: `https://example.com` **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/secheaders-api/v1/headers?url=https%3A%2F%2Fexample.com" ``` **Response:** ```json { "data": { "url": "https://example.com/", "status": 200, "headers": { "age": "7", "date": "Mon, 01 Jun 2026 23:40:51 GMT", "allow": "GET, HEAD", "cf-ray": "a05210d53fd38c46-FRA", "server": "cloudflare", "connection": "keep-alive", "content-type": "text/html", "last-modified": "Thu, 28 May 2026 18:39:43 GMT", "cf-cache-status": "HIT", "content-encoding": "gzip", "transfer-encoding": "chunked" }, "final_url": "https://example.com/" }, "meta": { "timestamp": "2026-06-01T23:40:51.399Z", "request_id": "008c42ab-53c7-42a4-8363-14d827bd6dd3" }, "status": "ok", "message": "Response headers retrieved", "success": true } ``` ### Meta #### `GET /v1/meta` — Graded headers & grade scale **Example:** ```bash curl -H "x-oanor-key: $KEY" \ "https://api.oanor.com/secheaders-api/v1/meta" ``` **Response:** ```json { "data": { "note": "Fetch any URL and analyse its HTTP response security headers, the way securityheaders.com and Mozilla Observatory do. /v1/analyze?url=https://example.com grades the site A+ to F from the protective headers it sets — Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy — listing which are present, which are missing (with remediation advice) and which response headers leak information (Server, X-Powered-By…). /v1/headers returns every raw response header. The request is made server-side and follows redirects; private/internal targets are refused (SSRF-guarded). Ideal for security audits, CI gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No key, no cache.", "grades": [ "A+", "A", "B", "C", "D", "F" ], "endpoints": [ "/v1/analyze", "/v1/headers", "/v1/meta" ], "graded_headers": [ { "header": "Strict-Transport-Security", "weight": 25 }, { "header": "Content-Security-Policy", "weight": 25 …(truncated, see openapi.json for full schema) ``` --- Marketplace page: https://www.oanor.com/api/secheaders-api OpenAPI spec: https://www.oanor.com/api/secheaders-api/openapi.json