Documentation

Authorisation

Authorisation is required for all requests to the Security Headers API, located at https://api-test.securityheaders.com/.
An API key must be provided in the x-api-key HTTP request header. You can purchase an API key here.

GET https://api-test.securityheaders.com/?q=scotthelme.co.uk&hide=on&followRedirects=on
x-api-key: {your key here}

Query Parameters

All parameters are required and are set in the query string of the HTTP GET request.

Parameter: q
Description: The domain/URL to scan.
Value: domain/URL
Required: Yes
Example: q=scotthelme.co.uk

Parameter: hide
Description: Hide scan results on homepage.
Value: "on"/"off"
Required: Yes
Example: hide=on

Parameter: followRedirects
Description: Follow redirect status codes.
Value: "on"/"off"
Required: Yes
Example: followRedirects=on

Example JSON Response

Here's an example JSON payload for a successful scan:


{ "status": "good", "summary": { "site": "scotthelme.co.uk", "grade": "A", "ip": "2606:4700:20::681a:302", "timestamp": "10 Jan 2023 20:19:49 UTC", "headers": { "Strict-Transport-Security": "green", "Content-Security-Policy": "green", "Permissions-Policy": "green", "Referrer-Policy": "green", "X-Content-Type-Options": "green", "X-Frame-Options": "green" }, "gradeCap": "A" }, "rawHeaders": [ { "key": "HTTP/2", "value": "200", "colour": "#696E76" }, { "key": "date", "value": "Tue, 10 Jan 2023 20:19:49 GMT", "colour": "#696E76" }, { "key": "content-type", "value": "text/html; charset=utf-8", "colour": "#696E76" }, { "key": "age", "value": "21733", "colour": "#696E76" }, { "key": "cache-control", "value": "public, max-age=0", "colour": "#696E76" }, { "key": "strict-transport-security", "value": "max-age=31536000; includeSubDomains; preload", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/hsts-the-missing-link-in-tls/\" target=\"_blank\">HTTP Strict Transport Security</a> is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS." }, { "key": "vary", "value": "Cookie, Accept-Encoding", "colour": "#696E76" }, { "key": "via", "value": "1.1 varnish, 1.1 varnish", "colour": "#696E76" }, { "key": "alt-svc", "value": "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400", "colour": "#696E76" }, { "key": "content-security-policy", "value": "default-src 'self'; script-src 'self' 'report-sample' disqus.com c.disquscdn.com platform.instagram.com cdnjs.cloudflare.com scotthelme.disqus.com a.disquscdn.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com gist.github.com/ScottHelme/ static.cloudflareinsights.com js.stripe.com unpkg.com/@tryghost/ cdn.jsdelivr.net/ghost/; style-src 'self' 'report-sample' 'unsafe-inline' c.disquscdn.com a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com assets-cdn.github.com github.githubassets.com unpkg.com/@tryghost/ cdn.jsdelivr.net/ghost/; img-src 'self' data: www.gravatar.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com www.google-analytics.com; child-src www.instagram.com twitter.com fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com www.youtube-nocookie.com js.stripe.com https://drive.google.com/file/; connect-src 'self' syndication.twitter.com links.services.disqus.com scotthelme.ghost.io cloudflareinsights.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self' syndication.twitter.com; frame-ancestors 'none'; prefetch-src 'self' c.disquscdn.com disqus.com; object-src 'none'; base-uri 'none'; upgrade-insecure-requests; report-uri https://scotthelme.report-uri.com/r/d/csp/enforce; report-to default", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. <a href=\"https://report-uri.com/home/analyse/https%3A%2F%2Fscotthelme.co.uk%2F\" target=\"_blank\">Analyse</a> this policy in more detail." }, { "key": "cross-origin-embedder-policy-report-only", "value": "require-corp; report-to=\"default\"", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP." }, { "key": "cross-origin-opener-policy-report-only", "value": "same-origin; report-to=\"default\"", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser." }, { "key": "cross-origin-resource-policy", "value": "same-site", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Resource Policy</a> allows a resource owner to specify who can load the resource." }, { "key": "expect-ct", "value": "max-age=604800, report-uri=\"https://scotthelme.report-uri.com/r/d/ct/enforce\"", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-expect-ct/\" target=\"_blank\">Expect-CT</a> will soon be deprecated and can be removed." }, { "key": "feature-policy", "value": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'", "colour": "yellow", "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-feature-policy/\" target=\"_blank\">Feature Policy</a> has been renamed to Permissions Policy, see the details <a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">here</a>." }, { "key": "nel", "value": "{\"report_to\":\"default\",\"max_age\":10886400}", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/network-error-logging-deep-dive/\" target=\"_blank\">Network Error Logging</a> is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on <a href=\"https://report-uri.com\" target=\"_blank\">Report URI</a> to collect these reports." }, { "key": "permissions-policy", "value": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">Permissions Policy</a> is a new header that allows a site to control which features and APIs can be used in the browser." }, { "key": "referrer-policy", "value": "strict-origin-when-cross-origin", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-referrer-policy/\" target=\"_blank\">Referrer Policy</a> is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites." }, { "key": "report-to", "value": "{\"group\":\"default\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://scotthelme.report-uri.com/a/d/g\"}],\"include_subdomains\":true}", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/introducing-the-reporting-api-nel-other-major-changes-to-report-uri/\" target=\"_blank\">Report-To</a> enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur." }, { "key": "x-cache", "value": "HIT, HIT", "colour": "#696E76" }, { "key": "x-content-type-options", "value": "nosniff", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options\" target=\"_blank\">X-Content-Type-Options</a> stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is \"X-Content-Type-Options: nosniff\"." }, { "key": "x-served-by", "value": "cache-ams12774-AMS, cache-sjc10072-SJC", "colour": "#696E76" }, { "key": "x-timer", "value": "S1673381989.462412,VS0,VE1", "colour": "#696E76" }, { "key": "x-xss-protection", "value": "1; mode=block; report=https://scotthelme.report-uri.com/r/d/xss/enforce", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection\" target=\"_blank\">X-XSS-Protection</a> sets the configuration for the XSS Auditor built into older browsers. The recommended value was \"X-XSS-Protection: 1; mode=block\" but you should now look at <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> instead." }, { "key": "x-xss-pwnage", "value": "<script>alert('XSS');</script>", "colour": "#696E76" }, { "key": "server", "value": "magic", "colour": "green", "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#server\" target=\"_blank\">Server</a> value has been changed. Typically you will see values like \"Microsoft-IIS/8.0\" or \"nginx 1.7.2\"." }, { "key": "content-encoding", "value": "gzip", "colour": "#696E76" }, { "key": "X-Frame-Options", "value": "Header not set, see Additional Information below.", "colour": "green", "info": "The XFO header was not sent but frame-ancestors in <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> was used instead." } ], "missingHeaders": [], "validationErrors": { "Content-Security-Policy": "This policy contains 'unsafe-inline' which is dangerous in the style-src directive. " }, "upcomingHeaders": { "Cross-Origin-Embedder-Policy": { "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.", "key": "Cross-Origin-Embedder-Policy" }, "Cross-Origin-Opener-Policy": { "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser.", "key": "Cross-Origin-Opener-Policy" } }, "additionalInformation": { "strict-transport-security": { "info": "<a href=\"https://scotthelme.co.uk/hsts-the-missing-link-in-tls/\" target=\"_blank\">HTTP Strict Transport Security</a> is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.", "colour": "green" }, "content-security-policy": { "info": "<a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. <a href=\"https://report-uri.com/home/analyse/https%3A%2F%2Fscotthelme.co.uk%2F\" target=\"_blank\">Analyse</a> this policy in more detail.", "colour": "green" }, "cross-origin-embedder-policy-report-only": { "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.", "colour": "green" }, "cross-origin-opener-policy-report-only": { "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser.", "colour": "green" }, "cross-origin-resource-policy": { "info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Resource Policy</a> allows a resource owner to specify who can load the resource.", "colour": "green" }, "expect-ct": { "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-expect-ct/\" target=\"_blank\">Expect-CT</a> will soon be deprecated and can be removed.", "colour": "green" }, "feature-policy": { "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-feature-policy/\" target=\"_blank\">Feature Policy</a> has been renamed to Permissions Policy, see the details <a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">here</a>.", "colour": "yellow" }, "nel": { "info": "<a href=\"https://scotthelme.co.uk/network-error-logging-deep-dive/\" target=\"_blank\">Network Error Logging</a> is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on <a href=\"https://report-uri.com\" target=\"_blank\">Report URI</a> to collect these reports.", "colour": "green" }, "permissions-policy": { "info": "<a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">Permissions Policy</a> is a new header that allows a site to control which features and APIs can be used in the browser.", "colour": "green" }, "referrer-policy": { "info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-referrer-policy/\" target=\"_blank\">Referrer Policy</a> is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.", "colour": "green" }, "report-to": { "info": "<a href=\"https://scotthelme.co.uk/introducing-the-reporting-api-nel-other-major-changes-to-report-uri/\" target=\"_blank\">Report-To</a> enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur.", "colour": "green" }, "x-content-type-options": { "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options\" target=\"_blank\">X-Content-Type-Options</a> stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is \"X-Content-Type-Options: nosniff\".", "colour": "green" }, "x-xss-protection": { "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection\" target=\"_blank\">X-XSS-Protection</a> sets the configuration for the XSS Auditor built into older browsers. The recommended value was \"X-XSS-Protection: 1; mode=block\" but you should now look at <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> instead.", "colour": "green" }, "server": { "info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#server\" target=\"_blank\">Server</a> value has been changed. Typically you will see values like \"Microsoft-IIS/8.0\" or \"nginx 1.7.2\".", "colour": "green" }, "X-Frame-Options": { "info": "The XFO header was not sent but frame-ancestors in <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> was used instead.", "colour": "green" } } }