GET /api/security-headers

Security Headers

Check common HTTP security headers for any URL. Follows redirects and returns the final URL, HTTP status code, a subset of security-relevant headers, and a per-header analysis. Results are cached for 60 seconds.

Query parameters

urlrequiredThe URL to check. Scheme may be http or https; if omitted, https is assumed.

Headers checked

strict-transport-securityValid if present and includes a max-age directive.
content-security-policyValid if present and non-empty.
x-frame-optionsValid if value is DENY, SAMEORIGIN, or ALLOW-FROM <url>.
x-content-type-optionsValid if value is nosniff.
referrer-policyValid if present and non-empty.
permissions-policyValid if present and non-empty.

Example request

curl

curl "https://tinyutils.dev/api/security-headers?url=https://example.com"

JavaScript (fetch)

const res = await fetch(
  "https://tinyutils.dev/api/security-headers?url=https://example.com"
);
const data = await res.json();

Example response

{
  "ok": true,
  "input_url": "https://example.com",
  "final_url": "https://www.example.com/",
  "status": 200,
  "headers": {
    "strict-transport-security": "max-age=63072000",
    "x-frame-options": "SAMEORIGIN"
  },
  "analysis": {
    "strict_transport_security": { "present": true, "valid": true },
    "content_security_policy": { "present": false, "valid": false },
    "x_frame_options": { "present": true, "valid": true },
    "x_content_type_options": { "present": false, "valid": false },
    "referrer_policy": { "present": false, "valid": false },
    "permissions_policy": { "present": false, "valid": false }
  },
  "score": 2,
  "max_score": 6,
  "meta": {
    "responseTimeMs": 96,
    "cached": false,
    "rateLimitedScope": "global"
  },
  "error": null
}

Error response

{
  "ok": false,
  "input_url": "not-a-url",
  "final_url": null,
  "status": null,
  "headers": null,
  "analysis": null,
  "score": null,
  "max_score": 6,
  "error": "INVALID_URL",
  "meta": {
    "responseTimeMs": 0,
    "cached": false,
    "rateLimitedScope": "global"
  }
}

Error codes

INVALID_URLThe URL is missing, malformed, or uses an unsupported scheme.
BLOCKED_HOSTThe target resolves to a private, reserved, or internal address.
TIMEOUTThe request exceeded the 2.5s timeout.
NETWORK_ERRORA network error prevented the request from completing.
TOO_MANY_REDIRECTSThe URL required more than 10 redirects to resolve.
REDIRECT_LOOPRedirect resolution detected a loop and could not reach a final URL.
MISSING_LOCATIONA redirect response was missing the required Location header.
RATE_LIMITEDYou have exceeded the daily request limit.
INTERNAL_ERRORAn unexpected server error occurred.

Rate limiting

Requests are rate-limited via a global pool shared with other TinyUtils endpoints. Results are cached for 60 seconds to reduce duplicate requests. When the limit is exceeded, the endpoint returns HTTP 429 with RATE_LIMITED.

See also

Looking for use-case guidance? Security Headers API walks through common inspection scenarios and integration patterns.