Security Headers Audit
Grade HTTP security headers — HSTS, CSP, X-Frame-Options, and more.
GET
/v1/security-headers
curl "https://dns.toolkitapi.io/v1/security-headers?domain=github.com"
import httpx
resp = httpx.get(
"https://dns.toolkitapi.io/v1/security-headers?domain=github.com",
)
print(resp.json())const resp = await fetch("https://dns.toolkitapi.io/v1/security-headers?domain=github.com", {
});
const data = await resp.json();
console.log(data);# See curl example
Response
200 OK
{
"domain": "github.com",
"url": "https://github.com",
"score": 90,
"grade": "A",
"checks": [
{"header": "Strict-Transport-Security", "present": true, "value": "max-age=31536000; includeSubdomains; preload", "status": "pass", "detail": "HSTS enabled with preload and includeSubdomains", "points": 15},
{"header": "Content-Security-Policy", "present": true, "value": "default-src 'none'; ...", "status": "pass", "detail": "CSP header found with restrictive policy", "points": 15},
{"header": "X-Frame-Options", "present": true, "value": "deny", "status": "pass", "detail": "Clickjacking protection enabled", "points": 10}
],
"query_time_ms": 203.1
}Try It Live
Live Demo
Response
Description
Grade HTTP security headers — HSTS, CSP, X-Frame-Options, and more.
How to Use
1
1. Pass the domain in the `domain` parameter. 2. Review the `grade` and individual `checks` for missing or misconfigured headers. 3. Implement missing headers starting with the highest-point ones (HSTS, CSP).
About This Tool
Security Headers Audit grades a website's HTTP security headers (0-100, A-F). It checks HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, and penalizes information leakage headers like Server and X-Powered-By.
Why Use This Tool
- Security audit — Assess web security header configuration
- Compliance — Verify headers meet OWASP or organizational standards
- Penetration testing — Quick reconnaissance of security posture
- DevOps — Verify headers are correctly set after deployment
Frequently Asked Questions
Which headers are checked?
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and COEP. Server and X-Powered-By are checked for information leakage.
Are points deducted for leaking headers?
Yes — exposing Server version or X-Powered-By information reduces the score.
Start using Security Headers Audit now
Get your free API key and make your first request in under a minute.