Security Headers Scanner API
Grade any website's HTTP security headers programmatically. Get A+ to F scores, individual header analysis, and actionable recommendations — all via a single API call.
What We Check
HTTPS Enforcement
Verify the site redirects to HTTPS. HTTP-only sites receive a 20-point penalty. The foundation of all other security headers.
HSTS (Strict-Transport-Security)
Parse max-age, includeSubDomains, and preload. Flag short max-age values (<6 months) and missing directives.
Content-Security-Policy
Deep CSP analysis: directive extraction, unsafe-inline/unsafe-eval detection, wildcard checks, insecure scheme detection, and frame-ancestors support.
X-Frame-Options
Validate against clickjacking. Accepts DENY, SAMEORIGIN, flags deprecated ALLOW-FROM. CSP frame-ancestors supersedes this.
X-Content-Type-Options
Check for nosniff to prevent MIME-type sniffing attacks. Simple but critical — missing on many sites.
Referrer-Policy
Validate referrer control. Safe values like strict-origin-when-cross-origin earn bonuses. Unsafe values like unsafe-url are penalized.
Permissions-Policy
Check if the site restricts browser features like camera, microphone, and geolocation. Informational — not penalized if missing.
Cookie Security
Verify Secure, HttpOnly, and SameSite flags on all Set-Cookie headers. Earn bonuses for proper cookie security.
Deprecated Headers
Flag deprecated headers like X-XSS-Protection, Public-Key-Pins, and Expect-CT. Also detect information leaks from Server and X-Powered-By.
Mozilla Observatory-Style Grading
Sites start at 100 points. Missing or weak headers deduct points. Best practices earn bonuses (only if base score is 90+). Maximum score: 130.
Example API Response
A single GET /security?url=github.com returns:
{
"url": "https://github.com",
"domain": "github.com",
"grade": "A+",
"score": 115,
"max_score": 130,
"scan_time_ms": 342,
"cached": false,
"tests": {
"https": {
"pass": true,
"score_modifier": 0,
"result": "https",
"info": "Site is served over HTTPS"
},
"strict-transport-security": {
"pass": true,
"score_modifier": 5,
"result": "hsts-preloaded",
"value": "max-age=31536000; includeSubdomains; preload",
"info": "HSTS header present with max-age of 365 days, includeSubDomains, and preload"
},
"content-security-policy": {
"pass": true,
"score_modifier": 10,
"result": "csp-strict",
"info": "Content-Security-Policy is strict with default-src 'none'"
},
"x-frame-options": {
"pass": true,
"score_modifier": 0,
"result": "xfo-deny",
"value": "deny",
"info": "X-Frame-Options is set to DENY"
},
"x-content-type-options": {
"pass": true,
"score_modifier": 0,
"result": "xcto-nosniff",
"value": "nosniff",
"info": "X-Content-Type-Options is set to 'nosniff'"
},
"referrer-policy": {
"pass": true,
"score_modifier": 5,
"result": "referrer-policy-private",
"value": "strict-origin-when-cross-origin",
"info": "Referrer-Policy is set to a private value"
}
},
"deprecated_headers": [],
"info_leaks": [],
"recommendations": []
}Use Cases
Security Auditing
Scan your organization's domains and third-party dependencies for missing security headers. Prioritize fixes by severity with the grade and score system.
Compliance Monitoring
Continuously verify that security headers meet your compliance requirements. Set up scheduled scans and alert when grades drop below your threshold.
Competitive Analysis
Compare your security posture against competitors. Grade their sites alongside yours to identify where you lead or need to catch up.
CI/CD Integration
Add security header checks to your deployment pipeline. Fail builds when headers don't meet minimum grade requirements before going to production.
Vulnerability Scanning
Combine with DetectZeStack's technology detection and certificate checker for a comprehensive security overview of any domain from a single API.
Client Reporting
Generate security header reports for clients. The grade system and actionable recommendations make findings easy to communicate to non-technical stakeholders.
Quick Start
Get security header grades in seconds:
# Check security headers for any domain
curl -H "X-API-Key: YOUR_KEY" \
"https://detectzestack.com/security?url=example.com"
# Python
import requests
resp = requests.get(
"https://detectzestack.com/security",
params={"url": "example.com"},
headers={"X-API-Key": "YOUR_KEY"}
)
report = resp.json()
print(f"{report['domain']}: {report['grade']} ({report['score']}/130)")Pricing
Security header analysis is included in all DetectZeStack plans. Same API key, same quota.
| Plan | Requests/month | Price |
|---|---|---|
| Free | 100 | $0/mo |
| Pro | 1,000 | $9/mo |
| Ultra | 10,000 | $29/mo |
| Mega | 50,000 | $79/mo |
Frequently Asked Questions
What security headers does this API check?
The API checks 7 core headers: HTTPS enforcement, Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also analyzes cookie security flags and detects deprecated headers and information leaks.
How is the grade calculated?
Grades use a Mozilla Observatory-inspired scoring model. Sites start at 100 points with deductions for missing or misconfigured headers. Bonuses (up to +30 points) are only awarded if the base score is 90 or above. The maximum possible score is 130 (grade A+).
How is this different from SecurityHeaders.com?
SecurityHeaders.com is a manual web tool with no API access (their API is shutting down April 2026). DetectZeStack provides a full REST API designed for automation: JSON responses, API key auth, rate-limited plans, cached results, and bundled with technology detection, DNS intelligence, and certificate checking.
Does this count toward my monthly API quota?
Yes. Each call to /security counts as one request toward your monthly quota, same as /analyze, /dns, or /certificate/check. Results are cached, so repeated checks for the same domain within the cache window do not trigger a new fetch.
Start Scanning Security Headers
Free tier includes 100 requests/month. No credit card required.
Get Free API Key