HTTP Security Header Analyzer
API

Security Header Analyzer

Analyze HTTP security headers with comprehensive scoring (A-F grades)

Scoring: A (90-100%) • B (80-89%) • C (70-79%) • D (60-69%) • F (<60%)
API Documentation

Base URL: https://example.com

Health 
curl -sS https://example.com/api/health
Analyze a URL

Default (full) response:

curl -sS -X POST https://example.com/api/analyze \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com","force_refresh":false}'

Minimal (de-duplicated) response:

curl -sS -X POST "https://example.com/api/analyze?minimal=true" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'
Set force_refresh: true in the JSON body to bypass cache. Use the ?minimal=true query parameter for a de-duplicated response.
Security Constraints
  • Schemes: only http and https are allowed.
  • Ports: only 80 and 443 are allowed (default or explicit).
  • Methods used to target: the service issues HEAD first; a safe GET fallback may be used to read headers without downloading the body.
  • Redirects: up to 3 hops; each hop is validated (scheme, port, and that the resolved IP is public).
  • IP policy: private, loopback, link-local, multicast, and reserved IPs are blocked (DNS rebinding mitigated per hop).
  • CORS: enabled for /api/* with origins: *, methods GET, POST, no credentials.
  • Rate limits: global limit is 1 request/second per client; /api/analyze is limited to 60 requests/second per client.

These constraints help prevent SSRF and keep the service safe and free for public use.