Security
HTTP security-headers grade API
Fetch a URL's response headers and grade them against a Mozilla-Observatory-style rubric (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, Server disclosure), returning a weighted 0-100 score, a letter grade, per-header pass/fail with the reason, and a concrete fix for every failing header. The value-add: it scores and prescribes, it does not just echo headers. Answers 'grade the security headers of this site', 'is my CSP/HSTS configured correctly', 'what security headers am I missing', 'how do I fix my header score'.
Price$0.01per request
MethodPOST
Route/v1/security/headers-grade
StatusLive
MIME typeapplication/json
Rate limit60/minute
Cache3600s public
securityheaderscsphstssecurity-headersowasphardeninghttp
API URL
Integration docshttps://x402.hexl.dev/v1/security/headers-gradeExample request
{
"url": "https://example.com"
}Example response
{
"url": "https://example.com/",
"score": 10,
"grade": "F",
"passed": 1,
"failed": 7,
"headers": [
{
"header": "Strict-Transport-Security",
"present": false,
"pass": false,
"value": null,
"reason": "HSTS not set — connection can be downgraded to HTTP.",
"fix": "Add: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"
}
],
"fixes": [
"Add: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload"
],
"finalUrl": "https://example.com/",
"statusCode": 200
}Input schema
{
"type": "object",
"required": [
"url"
],
"properties": {
"url": {
"type": "string",
"examples": [
"https://example.com"
]
}
}
}Output schema
{
"type": "object",
"additionalProperties": true
}