#http

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

A clean, programmatic reference for HTTP semantics, built on the official IANA registries. Look up any status code with its reason phrase and class (404 → Not Found, Client Error; 503 → Service Unavailable, Server Error), list a whole class (4xx, 5xx…); look up any method with its safe/idempotent flags (GET → safe + idempotent, POST → neither, DELETE → idempotent); or look up / search the 255 registered HTTP header fields (Content-Type, Authorization, …) with their registration status. Ideal for API tooling, HTTP clients, documentation, linters, learning resources and error pages.

api.oanor.com/http-api