Security Headers API — check HTTP security headers
Need to audit security headers across your sites from a script, CI job, or monitoring tool - without opening DevTools or writing custom fetch logic? Use the TinyUtils Security Headers API.
The problem
Manually checking security headers is tedious. For each URL you need to follow redirects, inspect the final response, and cross-reference a list of headers - before you can flag what is missing or misconfigured.
The TinyUtils Security Headers API handles all of that in a single GET request. It returns a per-header breakdown and a score so you can act on the results immediately.
Quick solution
Send a GET request to /api/security-headers with the URL you want to check. You get back the security headers that are present, a per-header analysis, and a score out of six.
curl
curl "https://tinyutils.dev/api/security-headers?url=https://example.com"
Example response
{
"ok": true,
"input_url": "https://example.com",
"final_url": "https://www.example.com/",
"status": 200,
"headers": {
"strict-transport-security": "max-age=63072000",
"x-frame-options": "SAMEORIGIN"
},
"analysis": {
"strict_transport_security": { "present": true, "valid": true },
"content_security_policy": { "present": false, "valid": false },
"x_frame_options": { "present": true, "valid": true },
"x_content_type_options": { "present": false, "valid": false },
"referrer_policy": { "present": false, "valid": false },
"permissions_policy": { "present": false, "valid": false }
},
"score": 2,
"max_score": 6,
"meta": {
"responseTimeMs": 96,
"cached": false,
"rateLimitedScope": "global"
},
"error": null
}Use cases
- •Detect missing security headers across production hosts
- •Run basic security audits from scripts or dashboards
- •Validate header configuration after a deployment in CI
- •Monitor security posture changes over time
JavaScript example
JavaScript (fetch)
const res = await fetch(
"https://tinyutils.dev/api/security-headers?url=https://example.com"
);
const data = await res.json();
if (!data.ok) {
console.error("Request failed:", data.error);
} else {
console.log("Score:", data.score, "/", data.max_score);
const { analysis } = data;
if (!analysis.content_security_policy.present) {
console.warn("Missing: Content-Security-Policy");
}
if (!analysis.x_content_type_options.valid) {
console.warn("Invalid or missing: X-Content-Type-Options");
}
}See also
Try the Security Headers tool
Enter any URL and check its security headers instantly.
Open Security Headers →