Security Headers Check API
Grade any website's HTTP security headers from A+ to F with a single API call. Structured JSON response, Mozilla Observatory-style scoring. The programmatic SecurityHeaders.com alternative you've been looking for.
What It Checks
Content-Security-Policy (CSP)
Detects CSP presence and evaluates directive strictness. Checks for unsafe-inline, unsafe-eval, and overly broad source lists that weaken the policy.
Strict-Transport-Security (HSTS)
Validates HSTS header presence, max-age duration, includeSubDomains, and preload directives. Awards bonus points for HSTS preload readiness.
X-Frame-Options
Checks for clickjacking protection via X-Frame-Options (DENY or SAMEORIGIN) or the equivalent CSP frame-ancestors directive.
X-Content-Type-Options
Verifies the nosniff directive is present to prevent browsers from MIME-type sniffing responses away from the declared content type.
Referrer-Policy
Checks for a Referrer-Policy header and evaluates the policy value. Stricter policies like no-referrer or strict-origin-when-cross-origin score higher.
Permissions-Policy
Detects the Permissions-Policy header (formerly Feature-Policy) that restricts browser features like camera, microphone, geolocation, and payment APIs.
HTTPS Enforcement
Verifies the site is served over HTTPS. HTTP-only sites receive a significant score penalty as the foundation for all other security headers.
Cookie Security Flags
Inspects Set-Cookie headers for Secure, HttpOnly, and SameSite flags. Missing flags on session cookies indicate authentication vulnerabilities.
How It Works
Send a URL
Make a GET request to the /v1/security endpoint with the target URL. The API fetches the site and inspects all HTTP response headers.
Get the Grade
Receive a structured JSON response with the overall grade (A+ to F), numeric score, and individual findings for each security header.
Automate It
Integrate into CI pipelines, monitoring dashboards, or scheduled scripts. Check headers on every deploy or track grades over time.
cURL Example
curl "https://detectzestack.p.rapidapi.com/v1/security?url=example.com" \
-H "X-RapidAPI-Key: YOUR_KEY" \
-H "X-RapidAPI-Host: detectzestack.p.rapidapi.com"Example Response
{
"url": "https://example.com",
"grade": "B",
"score": 65,
"headers": {
"content-security-policy": {
"present": false,
"value": "",
"finding": "Content-Security-Policy header is missing"
},
"strict-transport-security": {
"present": true,
"value": "max-age=31536000; includeSubDomains",
"finding": "HSTS is set with a long max-age"
},
"x-frame-options": {
"present": true,
"value": "DENY",
"finding": "X-Frame-Options is set to DENY"
},
"x-content-type-options": {
"present": true,
"value": "nosniff",
"finding": "X-Content-Type-Options is set correctly"
},
"referrer-policy": {
"present": true,
"value": "strict-origin-when-cross-origin",
"finding": "Referrer-Policy is set to a secure value"
},
"permissions-policy": {
"present": false,
"value": "",
"finding": "Permissions-Policy header is missing"
}
}
}Grading Methodology
Grades follow the Mozilla Observatory scoring model. Sites start at 100 points with deductions for missing or weak headers, and bonuses for security best practices.
| Grade | Score Range | Meaning |
|---|---|---|
| A+ | 100+ | All security headers present with best-practice configuration (HSTS preload, strict CSP) |
| A | 90 – 99 | Excellent security posture with most headers properly configured |
| B | 75 – 89 | Good configuration with minor improvements possible |
| C | 50 – 74 | Some security headers present but notable gaps remain |
| D | 25 – 49 | Minimal security headers; significant improvements needed |
| F | Below 25 | Few or no security headers detected |
Why Switch from SecurityHeaders.com
| Feature | SecurityHeaders.com | DetectZeStack |
|---|---|---|
| API availability | Shutting down April 2026 | Active, maintained, growing |
| JSON response | Yes (while API lasted) | Yes (structured JSON) |
| A+ to F grading | Yes | Yes (Mozilla Observatory-style) |
| Free tier | Unlimited (web only) | 100 req/mo free, paid from $9/mo |
| Authentication | None (open, rate-limited) | API key via RapidAPI |
| Technology detection | No | 7,300+ technologies detected |
| SSL certificate check | No | Yes (Certificate Check) |
| DNS intelligence | No | Yes (A, MX, NS, TXT, CNAME, PTR) |
| Batch scanning | No | Up to 10 URLs per request |
| Webhook alerts | No | Yes (change notifications) |
Frequently Asked Questions
Is there a SecurityHeaders.com API alternative?
Yes. DetectZeStack's /v1/security endpoint provides the same A+ to F grading as SecurityHeaders.com, with structured JSON output and authenticated API access. It is designed as a drop-in replacement for teams migrating off SecurityHeaders.com. Read the full SecurityHeaders.com alternative comparison.
How does the security header grading work?
DetectZeStack uses Mozilla Observatory-style scoring. Sites start at 100 points with deductions for missing or weak headers (e.g., -25 for no CSP, -20 for no HSTS). Bonuses are awarded for best practices like HSTS preload (+5) and strict CSP directives. The final score maps to a letter grade from A+ (100+) to F (below 25).
What security headers does the API check?
The API checks 7 core security headers: HTTPS enforcement, Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. It also inspects cookies for Secure, HttpOnly, and SameSite flags. See the Security Headers documentation for full details.
Is there a free tier?
Yes. DetectZeStack offers a free tier with 100 API requests per month. No credit card required. Your API key works for all endpoints: security headers, tech detection, DNS, certificates, and more. Sign up on RapidAPI to get your key in under a minute.
Can I check security headers programmatically?
Yes. Send a GET request to /v1/security?url=example.com with your API key in the headers. The response is structured JSON with the grade, score, and per-header findings. Use it from any HTTP client, CI pipeline, cron job, or monitoring script. Read the Python tutorial for a step-by-step example.
Start Checking Security Headers Today
Free tier. No credit card required. Get your API key in 30 seconds.
Get Your Free API KeyIncluded in All Plans
Security header checks count against your existing API quota. No separate pricing, no add-ons.
| Plan | Requests/month | Price |
|---|---|---|
| Basic | 100 | $0/mo |
| Pro | 1,000 | $9/mo |
| Ultra | 10,000 | $29/mo |
| Mega | 50,000 | $79/mo |
Related Reading
- SecurityHeaders.com API Alternative — Full comparison and migration path
- SecurityHeaders.com Migration Guide — Step-by-step guide for switching
- Audit Security Headers with Python — Python tutorial with code examples
- Automate Security Audits with API — CI/CD integration guide
- Security Audit Landing Page — Full security audit with CPE vulnerability mapping