Security Headers
free/v1/security/headersPerforms comprehensive analysis of HTTP security headers as recommended by OWASP Secure Headers Project. Evaluates Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin policies (COEP, COOP, CORP). Returns a weighted security grade (A–F) with actionable remediation guidance. Also flags information disclosure risks from Server and X-Powered-By headers.
What It Does
Fetches the target URL (with configurable redirect following) and inspects all security-related HTTP response headers. Each header is scored against known good values: HSTS is checked for max-age ≥ 1 year, includeSubDomains, and preload; CSP is validated for presence and baseline directives; X-Frame-Options is checked for DENY or SAMEORIGIN; X-Content-Type-Options must be nosniff; Referrer-Policy is evaluated against recommended values (no-referrer, strict-origin-when-cross-origin). The deprecated X-XSS-Protection header is detected and flagged — modern browsers have removed XSS Auditor support, and CSP is the recommended replacement. A composite grade is computed from all header scores.
Why It's Useful
HTTP security headers are your first line of defense against common web attacks including XSS, clickjacking, MIME-sniffing, and protocol downgrade attacks. OWASP, Mozilla Observatory, and compliance frameworks (PCI-DSS 4.0, SOC 2, HIPAA) all recommend these headers. Regular auditing catches misconfigurations before attackers exploit them — 67% of websites are missing at least one critical security header according to recent surveys.
Use Cases
Application Security Audit
Before deployment, verify that all required security headers are properly configured across web applications. Compare results against OWASP Secure Headers Project recommendations.
Catch security header misconfigurations before they reach production.
Compliance Verification
Document security header configuration as evidence for PCI-DSS 4.0 Requirement 6.4, SOC 2 CC6.1, or HIPAA Technical Safeguards audits.
Automate compliance evidence collection for security controls.
Vendor Security Assessment
Evaluate the security posture of third-party vendors and SaaS providers by analyzing their web application security headers as part of vendor risk management.
Assess vendor security without requiring access to their infrastructure.
CI/CD Security Gate
Integrate security header checks into CI/CD pipelines to automatically validate headers after each deployment.
Prevent security regressions with automated header validation.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
url | string | Required | The full URL to analyze (must include https://)Example: https://example.com |
follow_redirects | string | Optional | Whether to follow HTTP redirects (default: true). Set to "false" to analyze the initial response.Example: true |
Response Fields
| Field | Type | Description |
|---|---|---|
url | string | The original requested URL |
final_url | string | The final URL after redirects |
status_code | number | HTTP response status code |
headers.present | array | Security headers found with name, value, and status (good/warning/present/info) |
headers.missing | array | Missing security headers with name, required flag, and description |
score | object | Scoring breakdown: total points, max possible, letter grade (A–F), and percentage |
server_info | object | Server and X-Powered-By header values (information disclosure check) |
recommendations | array | Prioritized remediation recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/headers" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "url=https://example.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/headers?url=https%3A%2F%2Fexample.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/headers',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'url': 'https://example.com'
}
)
data = response.json()
print(data)Read the full Security Headers guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Security Headers endpoint live in the playground.