#web

Fetch and evaluate any publisher's ads.txt / app-ads.txt — the IAB authorized-digital-sellers standard. Pass a domain and the check endpoint fetches its ads.txt server-side, then returns every seller record parsed into its fields — advertising system, the publisher's seller/account id, the DIRECT or RESELLER relationship and the optional certification-authority id (TAG-ID) — alongside counts (direct, reseller, distinct ad systems) and the declared variables OWNERDOMAIN, MANAGERDOMAIN, CONTACT and SUBDOMAINS. The verify endpoint answers the one question programmatic-advertising integrations actually ask: is this advertising system, with this publisher id, authorized to sell this domain's inventory? — returning an authorized boolean and the matching records. A missing file is reported as found:false (not an error), and soft-404 HTML pages are detected and rejected so you never parse a "page not found" as records. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for ad-tech supply-chain verification, SSP/DSP onboarding checks, anti-fraud and inventory audits. An ads.txt seller-authorization checker — distinct from the security-contact file reader (securitytxt), the robots.txt crawlability evaluator (robots) and the sitemap parser (sitemap). No upstream key, no cache.

api.oanor.com/adstxt-api

Fetch and parse an XML sitemap (the sitemaps.org protocol). Pass a sitemap URL and the parse endpoint fetches it — following redirects and transparently gunzipping .gz sitemaps — and returns its type: a urlset with every URL and its lastmod, changefreq and priority, or a sitemapindex listing the child sitemaps, with offset/limit paging for large files. The urls endpoint goes further: when the sitemap is an index it fetches the child sitemaps too and flattens every page URL into a single list, with a configurable cap on URLs and child sitemaps and a truncated flag so you stay in control. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, building crawl queues and content inventories, change monitoring and migration checks. A sitemap fetcher and parser — distinct from generic XML-to-JSON conversion (xml), the robots.txt evaluator (robots) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/sitemap-api

Fetch and evaluate any website's robots.txt. Pass a URL and a user-agent and the check endpoint tells you whether that URL is crawlable — selecting the most-specific user-agent group and applying the RFC 9309 longest-match Allow/Disallow rules (with * and $ wildcards, where Allow wins ties), and returning the matched rule, the group's crawl-delay and the sitemaps the site declares. The parse endpoint returns the whole file structured into per-user-agent groups (their allow and disallow lists and crawl-delay) plus the list of sitemaps. A missing robots.txt (404/403) means everything is allowed, exactly as the spec requires. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, crawler and scraper compliance, sitemap discovery and pre-flight "am I allowed to fetch this?" checks. A robots.txt evaluator — distinct from the on-page SEO audit (seo), the XML toolkit (xml) and link unfurling/preview (url). No upstream key, no cache.

api.oanor.com/robots-api

Genera hashes de Subresource Integrity (SRI) para cualquier activo web, de modo que los navegadores puedan verificar que un script u hoja de estilo alojado en una CDN no ha sido manipulado. Pasa una URL y el servicio obtiene el activo y devuelve sus hashes SRI sha256, sha384 y sha512, el valor de integridad elegido (sha384 por defecto, o pasa tu algoritmo preferido), el tamaño y tipo de contenido del activo, y una etiqueta <script> o <link> lista para pegar con los atributos integrity y crossorigin. Un endpoint de verificación vuelve a obtener el activo y te dice si aún coincide con una cadena de integridad conocida, detectando cambios silenciosos en la CDN o manipulación en la cadena de suministro antes de que tus usuarios los encuentren. La solicitud se realiza del lado del servidor; los destinos privados e internos son rechazados (protegido contra SSRF). Construido para asegurar scripts de terceros, endurecer la cadena de suministro, pipelines de compilación y cumplimiento de CSP/SRI. Un generador y verificador de Subresource Integrity — distinto del hash criptográfico en bruto de datos de entrada (hash), el calificador de encabezados de seguridad HTTP (secheaders) y la verificación de certificados SSL/TLS (sslcheck). Sin clave upstream, sin caché.

api.oanor.com/sri-api

Recupera e analizza il file security.txt RFC 9116 di qualsiasi dominio — il file leggibile dalla macchina situato in /.well-known/security.txt che indica ai ricercatori di sicurezza come segnalare le vulnerabilità. Fornisci un dominio e il servizio localizza il file (il percorso canonico .well-known con un fallback legacy alla radice), analizza ogni campo — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring e CSAF — e segnala se è valido (ha almeno un Contact e un singolo Expires non scaduto), se è firmato PGP, se è scaduto (con il numero di giorni rimanenti) e un elenco di problemi con consigli concreti. Un endpoint complementare restituisce il file grezzo. La richiesta è eseguita lato server; i target privati e interni vengono rifiutati (protetto da SSRF). Progettato per audit di sicurezza, valutazione del rischio di fornitori e terze parti, revisioni della superficie d'attacco e controlli di conformità delle politiche di divulgazione delle vulnerabilità. Un parser e validatore di security.txt — distinto dal grader delle intestazioni di sicurezza HTTP (secheaders), dal controllo del certificato SSL/TLS (sslcheck) e dalla raggiungibilità dell'host (hostcheck). Nessuna chiave upstream, nessuna cache.

api.oanor.com/securitytxt-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

El directorio oficial de plugins y temas de WordPress.org como API — el registro detrás del ~40% de la web que funciona con WordPress. Busca cualquier plugin o tema por su slug para obtener su nombre, versión, autor, calificación de usuario y número de calificaciones, número de instalaciones activas y descargas totales, las versiones de WordPress y PHP que requiere, fecha de última actualización, página de inicio, URL de soporte y enlace de descarga directa; y busca en el directorio por palabra clave (plugins o temas), con resultados ordenados por instalaciones activas. Cubre los más de 60,000 plugins gratuitos y más de 13,000 temas en WordPress.org, desde WooCommerce, Yoast SEO y Elementor hasta Contact Form 7 y Jetpack. En vivo desde la API oficial api.wordpress.org. Ideal para paneles de WordPress y administradores de sitios, catálogos de plugins/temas, herramientas de compatibilidad y actualización, y el ecosistema de desarrolladores de WordPress. Datos abiertos de WordPress.org.

api.oanor.com/wordpress-api