Security Headers
free/v1/security/headersComprehensive HTTP security-header audit aligned with OWASP Secure Headers Project + CSP Level 3 + CHIPS / Partitioned cookie rules. Evaluates Content-Security-Policy (incl. `strict-dynamic`, nonces, hashes, Trusted Types, reporting endpoints), Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Cross-Origin policies (COEP, COOP, CORP). Performs deep cookie analysis — Secure / HttpOnly / SameSite / `__Host-` / `__Secure-` / `Partitioned` (CHIPS). Flags Cache-Control on likely-sensitive endpoints and fingerprints the Server / X-Powered-By software with known-EOL warnings.
What It Does
Fetches the URL with SSRF-safe redirect following, then scores headers against modern baselines. CSP scoring rewards `strict-dynamic` + nonces/hashes and `require-trusted-types-for 'script'`; penalizes `'unsafe-inline'`, `'unsafe-eval'`, and bare-`*` source-lists. HSTS is graded by actual max-age duration with partial credit for sub-1y values. Each Set-Cookie is parsed and graded per-cookie with `__Host-`/`__Secure-` prefix validation and CHIPS (`Partitioned`) warnings for cross-site iframe cookies. The server fingerprint table flags EOL nginx/Apache/PHP/IIS/Tomcat versions. Deprecated `X-XSS-Protection`, `Feature-Policy`, and `Expect-CT` are detected and recommended for removal.
Why It's Useful
HTTP security headers are your first line of defense against common web attacks including XSS, clickjacking, MIME-sniffing, and protocol downgrade attacks. OWASP, Mozilla Observatory, and compliance frameworks (PCI-DSS 4.0, SOC 2, HIPAA) all recommend these headers. Regular auditing catches misconfigurations before attackers exploit them — 67% of websites are missing at least one critical security header according to recent surveys.
Use Cases
Application Security Audit
Before deployment, verify that all required security headers are properly configured across web applications. Compare results against OWASP Secure Headers Project recommendations.
Catch security header misconfigurations before they reach production.
Compliance Verification
Document security header configuration as evidence for PCI-DSS 4.0 Requirement 6.4, SOC 2 CC6.1, or HIPAA Technical Safeguards audits.
Automate compliance evidence collection for security controls.
Vendor Security Assessment
Evaluate the security posture of third-party vendors and SaaS providers by analyzing their web application security headers as part of vendor risk management.
Assess vendor security without requiring access to their infrastructure.
CI/CD Security Gate
Integrate security header checks into CI/CD pipelines to automatically validate headers after each deployment.
Prevent security regressions with automated header validation.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
url | string | Required | The full URL to analyze (must include https://)Example: https://example.com |
follow_redirects | string | Optional | Whether to follow HTTP redirects (default: true). Set to "false" to analyze the initial response.Example: true |
probe | string | Optional | Phase 2: set "errors" to probe an unlikely-existing path (e.g., /edgedns-404-canary-...) on the same origin and report which security headers carry through on the 404 response. Common CDN cache rules skip the cache for non-2xx, leaving error pages naked. Adds 1 subrequest.Example: errors |
Response Fields
| Field | Type | Description |
|---|---|---|
url | string | The original requested URL |
final_url | string | The final URL after redirects |
status_code | number | HTTP response status code |
headers.present | array | Security headers found with name, value, and status (good/warning/present/info) |
headers.missing | array | Missing security headers with name, required flag, and description |
score | object | Scoring breakdown: total points, max possible, letter grade (A–F), and percentage |
server_info | object | { server, powered_by, fingerprint }. fingerprint resolves the Server header to a known product/version and flags known-EOL releases. |
cookies | object | Per-cookie analysis: { count, all_secure, all_http_only, all_same_site, any_invalid, chips_required, cookies[{ name, secure, httpOnly, sameSite, partitioned, prefix, invalid, issues }] }. `chips_required` flags cross-site cookies missing `Partitioned`. |
cache_control | object | { value, sensitive_response, has_no_store, warning }. Warns when a response looks sensitive (Set-Cookie present or auth-style URL) but Cache-Control lacks `no-store`. |
reporting | object | Phase 2: parses Report-To, Reporting-Endpoints, and NEL headers. Without one of these, CSP/COOP/COEP/NEL violations are invisible in production. Flags non-HTTPS reporting URLs. |
error_page_probe | object | null | Phase 2: only populated when ?probe=errors. Probes /edgedns-404-canary-* on the same origin and reports which security headers (HSTS, X-Frame-Options, X-Content-Type-Options, CSP) the error response is missing relative to the main page. |
recommendations | array | Prioritized remediation recommendations |
Code Examples
curl "https://api.edgedns.dev/v1/security/headers" \
-H "Authorization: Bearer YOUR_API_KEY" \
-d "url=https://example.com"const response = await fetch(
'https://api.edgedns.dev/v1/security/headers?url=https%3A%2F%2Fexample.com',
{
headers: {
'Authorization': 'Bearer YOUR_API_KEY'
}
}
);
const data = await response.json();
console.log(data);import requests
response = requests.get(
'https://api.edgedns.dev/v1/security/headers',
headers={'Authorization': 'Bearer YOUR_API_KEY'},
params={
'url': 'https://example.com'
}
)
data = response.json()
print(data)Read the full Security Headers guide
Why it matters, real-world use cases, parameters, response fields, and how to call it from Claude, ChatGPT, or Gemini via MCP.
Read the guide →Related Endpoints
External References
Learn more about the standards and protocols behind this endpoint.
Try This Endpoint
Test the Security Headers endpoint live in the playground.