{"openapi":"3.1.0","info":{"title":"Security Headers API","version":"1.0.0","description":"Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.","contact":{"name":"PremiumApi","url":"https://www.oanor.com/by/premiumapi"}},"servers":[{"url":"https://api.oanor.com/secheaders-api","description":"oanor gateway"}],"tags":[{"name":"Security Headers"},{"name":"Meta"}],"components":{"securitySchemes":{"oanorKey":{"type":"apiKey","in":"header","name":"x-oanor-key","description":"Get your key at https://www.oanor.com/developer/keys"}}},"security":[{"oanorKey":[]}],"paths":{"/v1/analyze":{"get":{"operationId":"get_v1_analyze","tags":["Security Headers"],"summary":"Grade a site's security headers","description":"","parameters":[{"name":"url","in":"query","required":true,"description":"URL to analyse","schema":{"type":"string"},"example":"https://example.com"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"url":"https://example.com/","grade":"F","score":0,"status":200,"missing":[{"advice":"Enforce HTTPS with HSTS (e.g. max-age=31536000; includeSubDomains).","header":"Strict-Transport-Security"},{"advice":"Define a CSP to mitigate XSS and data-injection.","header":"Content-Security-Policy"},{"advice":"Set 'nosniff' to stop MIME-type sniffing.","header":"X-Content-Type-Options"},{"advice":"Set DENY/SAMEORIGIN (or CSP frame-ancestors) to prevent clickjacking.","header":"X-Frame-Options"},{"advice":"Set a Referrer-Policy (e.g. strict-origin-when-cross-origin).","header":"Referrer-Policy"},{"advice":"Restrict powerful features with a Permissions-Policy.","header":"Permissions-Policy"},{"advice":"Set COOP (e.g. same-origin) for cross-origin isolation.","header":"Cross-Origin-Opener-Policy"}],"percent":0,"present":[],"summary":"0/7 key security headers present; grade F (0%)","final_url":"https://example.com/","max_score":100,"information_leaks":[{"value":"cloudflare","header":"server"}]},"meta":{"timestamp":"2026-06-01T23:40:51.289Z","request_id":"585321c3-7e38-4562-a2fc-5b12fc6ce95a"},"status":"ok","message":"Security headers analyzed","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/headers":{"get":{"operationId":"get_v1_headers","tags":["Security Headers"],"summary":"All raw response headers","description":"","parameters":[{"name":"url","in":"query","required":true,"description":"URL to fetch","schema":{"type":"string"},"example":"https://example.com"}],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"url":"https://example.com/","status":200,"headers":{"age":"7","date":"Mon, 01 Jun 2026 23:40:51 GMT","allow":"GET, HEAD","cf-ray":"a05210d53fd38c46-FRA","server":"cloudflare","connection":"keep-alive","content-type":"text/html","last-modified":"Thu, 28 May 2026 18:39:43 GMT","cf-cache-status":"HIT","content-encoding":"gzip","transfer-encoding":"chunked"},"final_url":"https://example.com/"},"meta":{"timestamp":"2026-06-01T23:40:51.399Z","request_id":"008c42ab-53c7-42a4-8363-14d827bd6dd3"},"status":"ok","message":"Response headers retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}},"/v1/meta":{"get":{"operationId":"get_v1_meta","tags":["Meta"],"summary":"Graded headers & grade scale","description":"","parameters":[],"security":[{"oanorKey":[]}],"responses":{"200":{"description":"OK","content":{"application/json":{"example":{"data":{"note":"Fetch any URL and analyse its HTTP response security headers, the way securityheaders.com and Mozilla Observatory do. /v1/analyze?url=https://example.com grades the site A+ to F from the protective headers it sets — Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy — listing which are present, which are missing (with remediation advice) and which response headers leak information (Server, X-Powered-By…). /v1/headers returns every raw response header. The request is made server-side and follows redirects; private/internal targets are refused (SSRF-guarded). Ideal for security audits, CI gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No key, no cache.","grades":["A+","A","B","C","D","F"],"endpoints":["/v1/analyze","/v1/headers","/v1/meta"],"graded_headers":[{"header":"Strict-Transport-Security","weight":25},{"header":"Content-Security-Policy","weight":25},{"header":"X-Content-Type-Options","weight":12},{"header":"X-Frame-Options","weight":12},{"header":"Referrer-Policy","weight":12},{"header":"Permissions-Policy","weight":8},{"header":"Cross-Origin-Opener-Policy","weight":6}],"information_leak_headers":["server","x-powered-by","x-aspnet-version","x-aspnetmvc-version"]},"meta":{"timestamp":"2026-06-01T23:40:51.500Z","request_id":"aedd7d5f-f98c-4cef-b8ef-bdfd86f24407"},"status":"ok","message":"Meta retrieved","success":true}}}},"401":{"description":"Missing or invalid x-oanor-key header"},"402":{"description":"Active subscription required"},"429":{"description":"Rate-limit or monthly quota reached"},"502":{"description":"Upstream did not respond"}}}}},"x-oanor-pricing":[{"slug":"free","name":"Free","price_cents_month":0,"monthly_call_quota":2520,"rps_limit":2,"hard_limit":true},{"slug":"starter","name":"Starter","price_cents_month":710,"monthly_call_quota":50500,"rps_limit":8,"hard_limit":true},{"slug":"pro","name":"Pro","price_cents_month":2210,"monthly_call_quota":252000,"rps_limit":20,"hard_limit":true},{"slug":"mega","name":"Mega","price_cents_month":5850,"monthly_call_quota":910000,"rps_limit":50,"hard_limit":true}],"x-oanor-marketplace-url":"https://www.oanor.com/api/secheaders-api"}