Security Headers
Check common HTTP security headers for any URL. Follows redirects and returns a per-header analysis with a score out of six.
GET /api/security-headers
Try it
{
"ok": true,
"input_url": "https://example.com",
"final_url": "https://www.example.com/",
"status": 200,
"headers": {
"strict-transport-security": "max-age=63072000",
"x-frame-options": "SAMEORIGIN"
},
"analysis": {
"strict_transport_security": { "present": true, "valid": true },
"content_security_policy": { "present": false, "valid": false },
"x_frame_options": { "present": true, "valid": true },
"x_content_type_options": { "present": false, "valid": false },
"referrer_policy": { "present": false, "valid": false },
"permissions_policy": { "present": false, "valid": false }
},
"score": 2,
"max_score": 6,
"meta": {
"responseTimeMs": 96,
"cached": false,
"rateLimitedScope": "global"
},
"error": null
}What it returns
- •ok - whether the request succeeded
- •input_url - the URL you submitted
- •final_url - the URL after following any redirects
- •status - HTTP status code of the final response
- •headers - security-relevant response headers as key/value pairs
- •analysis - per-header present/valid breakdown
- •score - count of headers that passed validation
- •max_score - total number of headers checked (6)
- •meta.responseTimeMs - total time including redirects
- •meta.cached - whether the result came from cache
- •error - error code if the request failed
Use cases
- •Check missing security headers across production hosts
- •Validate basic security posture after a deployment
- •Debug header misconfiguration on staging environments
- •Quick security checks in CI pipelines
Quick API examples
curl
curl "https://tinyutils.dev/api/security-headers?url=https://example.com"
JavaScript (fetch)
const res = await fetch(
"https://tinyutils.dev/api/security-headers?url=https://example.com"
);
const data = await res.json();
console.log("Score:", data.score, "/", data.max_score);
console.log("CSP present:", data.analysis.content_security_policy.present);