Automate Website Security Audits with an API (2026)
Manual security audits do not scale. You can check one website's headers in a browser tab, but what about 50 websites? 500? What about checking every deploy automatically?
The DetectZeStack API lets you automate three layers of website security auditing — security headers, SSL/TLS certificates, and known vulnerability scanning — with simple HTTP requests. This guide shows you how to integrate each one into your workflow.
Why Automate Now: The SecurityHeaders.com Shutdown
In April 2026, Snyk shut down the SecurityHeaders.com API. The free web scanner at securityheaders.com still works for manual, one-at-a-time checks, but the programmatic API that many teams relied on for CI/CD integration, compliance automation, and scheduled monitoring is gone.
If you were using the SecurityHeaders.com API, you need a replacement. If you were doing security header checks manually, this is a good time to automate. For a detailed migration guide, see SecurityHeaders.com API Alternative.
Layer 1: Security Headers (GET /security)
The /security endpoint scans any website and returns a letter grade from A+ to F, a numeric score (0–130), and a per-header breakdown. It checks eight headers: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, X-XSS-Protection, and Cross-Origin-Opener-Policy.
curl -s "https://detectzestack.p.rapidapi.com/security?url=stripe.com" \
-H "x-rapidapi-key: YOUR_API_KEY" \
-H "x-rapidapi-host: detectzestack.p.rapidapi.com" | python3 -m json.toolResponse:
{
"url": "https://stripe.com",
"domain": "stripe.com",
"grade": "A",
"score": 105,
"max_score": 130,
"scan_time_ms": 312,
"cached": false,
"tests": {
"strict-transport-security": {
"pass": true,
"score_modifier": 20,
"result": "HSTS enabled",
"value": "max-age=63072000; includeSubDomains; preload",
"info": "Strong HSTS policy with preload"
},
"content-security-policy": {
"pass": true,
"score_modifier": 20,
"result": "CSP present",
"value": "default-src 'self' ...",
"info": "Content Security Policy defined"
}
}
}CI/CD Integration: Fail Builds on Bad Headers
Add this to your deployment pipeline to block deploys when security headers regress:
#!/bin/bash
# security-gate.sh — run after deploy, fail if grade drops below C
RESULT=$(curl -s "https://detectzestack.p.rapidapi.com/security?url=$DEPLOY_URL" \
-H "x-rapidapi-key: $RAPIDAPI_KEY" \
-H "x-rapidapi-host: detectzestack.p.rapidapi.com")
GRADE=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['grade'])")
SCORE=$(echo "$RESULT" | python3 -c "import sys,json; print(json.load(sys.stdin)['score'])")
echo "Security headers: grade=$GRADE score=$SCORE/130"
if [[ "$GRADE" == "D" || "$GRADE" == "F" ]]; then
echo "FAIL: Security headers grade is $GRADE (minimum: C)"
exit 1
fi
echo "PASS: Security headers check passed"PCI DSS 4.0 compliance: Requirement 6.4.3 mandates Content-Security-Policy on payment pages. Automate the check — do not rely on humans remembering to verify after every deploy.
Layer 2: SSL/TLS Certificates (GET /certificate/check)
Expired or misconfigured SSL certificates cause outages and browser warnings. The /certificate/check endpoint returns certificate details including expiration dates, issuer, and days remaining.
curl -s "https://detectzestack.p.rapidapi.com/certificate/check?url=example.com" \
-H "x-rapidapi-key: YOUR_API_KEY" \
-H "x-rapidapi-host: detectzestack.p.rapidapi.com" | python3 -m json.toolUse the days_until_expiry field to set up alerts. A cron job that runs daily and alerts when any certificate has fewer than 30 days remaining gives you time to renew before users see browser warnings.
#!/bin/bash
# cert-monitor.sh — alert if any domain's cert expires within 30 days
DOMAINS=("example.com" "api.example.com" "app.example.com")
for DOMAIN in "${DOMAINS[@]}"; do
DAYS=$(curl -s "https://detectzestack.p.rapidapi.com/certificate/check?url=$DOMAIN" \
-H "x-rapidapi-key: $RAPIDAPI_KEY" \
-H "x-rapidapi-host: detectzestack.p.rapidapi.com" \
| python3 -c "import sys,json; print(json.load(sys.stdin).get('days_until_expiry', 0))")
if [ "$DAYS" -lt 30 ]; then
echo "WARNING: $DOMAIN certificate expires in $DAYS days"
# Send alert (Slack webhook, PagerDuty, email, etc.)
fi
doneFor more details, see the SSL/TLS Certificate Check page.
Layer 3: Vulnerability Scanning (GET /vulnerability)
The /vulnerability endpoint detects the technologies running on a website, maps them to CPE identifiers (Common Platform Enumeration), and cross-references them against the NVD (National Vulnerability Database) to find known CVEs.
curl -s "https://detectzestack.p.rapidapi.com/vulnerability?url=example.com" \
-H "x-rapidapi-key: YOUR_API_KEY" \
-H "x-rapidapi-host: detectzestack.p.rapidapi.com" | python3 -m json.toolThis is particularly useful for:
- Vendor risk assessments — scan a third-party vendor's site to check if their publicly-visible technologies have known CVEs
- Supply chain security — detect when a dependency your site uses has a new vulnerability
- Compliance evidence — generate reports showing you actively monitor for known vulnerabilities in external-facing technologies
Combining All Three Layers
A comprehensive automated security audit hits all three endpoints. Here is a script that checks security headers, SSL certificates, and vulnerabilities in one pass:
#!/bin/bash
# full-audit.sh — comprehensive security audit for a domain
DOMAIN=$1
API_KEY=$RAPIDAPI_KEY
HOST="detectzestack.p.rapidapi.com"
echo "=== Security Audit: $DOMAIN ==="
echo ""
# 1. Security Headers
echo "--- Security Headers ---"
curl -s "https://$HOST/security?url=$DOMAIN" \
-H "x-rapidapi-key: $API_KEY" \
-H "x-rapidapi-host: $HOST" \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
print(f\"Grade: {d['grade']} ({d['score']}/{d['max_score']})\")"
echo ""
# 2. SSL/TLS Certificate
echo "--- SSL/TLS Certificate ---"
curl -s "https://$HOST/certificate/check?url=$DOMAIN" \
-H "x-rapidapi-key: $API_KEY" \
-H "x-rapidapi-host: $HOST" \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
print(f\"Issuer: {d.get('issuer', 'N/A')}\")
print(f\"Expires in: {d.get('days_until_expiry', 'N/A')} days\")"
echo ""
# 3. Vulnerability Scan
echo "--- Vulnerabilities ---"
curl -s "https://$HOST/vulnerability?url=$DOMAIN" \
-H "x-rapidapi-key: $API_KEY" \
-H "x-rapidapi-host: $HOST" \
| python3 -c "
import sys, json
d = json.load(sys.stdin)
vulns = d.get('vulnerabilities', [])
print(f\"Technologies scanned: {d.get('tech_count', 0)}\")
print(f\"Vulnerabilities found: {len(vulns)}\")
for v in vulns[:5]:
print(f\" - {v.get('cve_id', 'N/A')}: {v.get('description', '')[:80]}\")"What Each Endpoint Costs
All three security endpoints share the same API key and the same request quota. Each call to /security, /certificate/check, or /vulnerability counts as one request.
| Plan | Requests/month | Price | Cost per audit (3 endpoints) |
|---|---|---|---|
| Free | 100 | $0 | $0 (33 full audits) |
| Pro | 1,000 | $9/mo | $0.027 (333 full audits) |
| Ultra | 10,000 | $29/mo | $0.0087 (3,333 full audits) |
| Mega | 50,000 | $79/mo | $0.0047 (16,666 full audits) |
For context, a single penetration test costs $5,000–$30,000. Automated scanning does not replace pen testing, but it catches regressions between tests — and at a few cents per audit, there is no reason not to run it continuously.
Start Automating Security Audits
100 requests/month free. Security headers, SSL certificates, and vulnerability scanning — all through one API key.
Get Your Free API KeyRelated Reading
- SecurityHeaders.com API Alternative — Migration guide from the shutdown SecurityHeaders.com API
- Security Headers Scanner — Scan any domain interactively, no API key needed
- Security Audit Tool — Comprehensive web security assessment
- SSL/TLS Certificate Check — Certificate analysis and expiration monitoring