Documentation
Authorisation
Authorisation is required for all requests to the Security Headers API, located at https://api.securityheaders.com/.
An API key must be provided in the x-api-key HTTP request header. You can purchase an API key here.
GET https://api.securityheaders.com/?q=scotthelme.co.uk&hide=on&followRedirects=on
x-api-key: {your key here}
Query Parameters
All parameters are required and are set in the query string of the HTTP GET request.
Parameter: q
Description: The domain/URL to scan.
Value: domain/URL
Required: Yes
Example: q=scotthelme.co.uk
Parameter: hide
Description: Hide scan results on homepage.
Value: "on"/"off"
Required: Yes
Example: hide=on
Parameter: followRedirects
Description: Follow redirect status codes.
Value: "on"/"off"
Required: Yes
Example: followRedirects=on
Example JSON Response
Here's an example JSON payload for a successful scan:
{
"status": "good",
"summary": {
"site": "scotthelme.co.uk",
"grade": "A",
"ip": "2606:4700:20::681a:302",
"timestamp": "10 Jan 2023 20:19:49 UTC",
"headers": {
"Strict-Transport-Security": "green",
"Content-Security-Policy": "green",
"Permissions-Policy": "green",
"Referrer-Policy": "green",
"X-Content-Type-Options": "green",
"X-Frame-Options": "green"
},
"gradeCap": "A"
},
"rawHeaders": [
{
"key": "HTTP/2",
"value": "200",
"colour": "#696E76"
},
{
"key": "date",
"value": "Tue, 10 Jan 2023 20:19:49 GMT",
"colour": "#696E76"
},
{
"key": "content-type",
"value": "text/html; charset=utf-8",
"colour": "#696E76"
},
{
"key": "age",
"value": "21733",
"colour": "#696E76"
},
{
"key": "cache-control",
"value": "public, max-age=0",
"colour": "#696E76"
},
{
"key": "strict-transport-security",
"value": "max-age=31536000; includeSubDomains; preload",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/hsts-the-missing-link-in-tls/\" target=\"_blank\">HTTP Strict Transport Security</a> is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS."
},
{
"key": "vary",
"value": "Cookie, Accept-Encoding",
"colour": "#696E76"
},
{
"key": "via",
"value": "1.1 varnish, 1.1 varnish",
"colour": "#696E76"
},
{
"key": "alt-svc",
"value": "h3=\":443\"; ma=86400, h3-29=\":443\"; ma=86400",
"colour": "#696E76"
},
{
"key": "content-security-policy",
"value": "default-src 'self'; script-src 'self' 'report-sample' disqus.com c.disquscdn.com platform.instagram.com cdnjs.cloudflare.com scotthelme.disqus.com a.disquscdn.com go.disqus.com platform.twitter.com cdn.syndication.twimg.com syndication.twitter.com gist.github.com/ScottHelme/ static.cloudflareinsights.com js.stripe.com unpkg.com/@tryghost/ cdn.jsdelivr.net/ghost/; style-src 'self' 'report-sample' 'unsafe-inline' c.disquscdn.com a.disquscdn.com fonts.googleapis.com cdnjs.cloudflare.com platform.twitter.com assets-cdn.github.com github.githubassets.com unpkg.com/@tryghost/ cdn.jsdelivr.net/ghost/; img-src 'self' data: www.gravatar.com links.services.disqus.com referrer.disqus.com a.disquscdn.com cdn.syndication.twimg.com syndication.twitter.com pbs.twimg.com platform.twitter.com abs.twimg.com www.google-analytics.com; child-src www.instagram.com twitter.com fusiontables.googleusercontent.com fusiontables.google.com www.google.com disqus.com www.youtube.com syndication.twitter.com platform.twitter.com www.youtube-nocookie.com js.stripe.com https://drive.google.com/file/; connect-src 'self' syndication.twitter.com links.services.disqus.com scotthelme.ghost.io cloudflareinsights.com; font-src 'self' cdnjs.cloudflare.com fonts.gstatic.com fonts.googleapis.com; form-action 'self' syndication.twitter.com; frame-ancestors 'none'; prefetch-src 'self' c.disquscdn.com disqus.com; object-src 'none'; base-uri 'none'; upgrade-insecure-requests; report-uri https://scotthelme.report-uri.com/r/d/csp/enforce; report-to default",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. <a href=\"https://report-uri.com/home/analyse/https%3A%2F%2Fscotthelme.co.uk%2F\" target=\"_blank\">Analyse</a> this policy in more detail."
},
{
"key": "cross-origin-embedder-policy-report-only",
"value": "require-corp; report-to=\"default\"",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP."
},
{
"key": "cross-origin-opener-policy-report-only",
"value": "same-origin; report-to=\"default\"",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser."
},
{
"key": "cross-origin-resource-policy",
"value": "same-site",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Resource Policy</a> allows a resource owner to specify who can load the resource."
},
{
"key": "expect-ct",
"value": "max-age=604800, report-uri=\"https://scotthelme.report-uri.com/r/d/ct/enforce\"",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-expect-ct/\" target=\"_blank\">Expect-CT</a> will soon be deprecated and can be removed."
},
{
"key": "feature-policy",
"value": "accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'",
"colour": "yellow",
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-feature-policy/\" target=\"_blank\">Feature Policy</a> has been renamed to Permissions Policy, see the details <a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">here</a>."
},
{
"key": "nel",
"value": "{\"report_to\":\"default\",\"max_age\":10886400}",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/network-error-logging-deep-dive/\" target=\"_blank\">Network Error Logging</a> is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on <a href=\"https://report-uri.com\" target=\"_blank\">Report URI</a> to collect these reports."
},
{
"key": "permissions-policy",
"value": "accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=(), interest-cohort=()",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">Permissions Policy</a> is a new header that allows a site to control which features and APIs can be used in the browser."
},
{
"key": "referrer-policy",
"value": "strict-origin-when-cross-origin",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-referrer-policy/\" target=\"_blank\">Referrer Policy</a> is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites."
},
{
"key": "report-to",
"value": "{\"group\":\"default\",\"max_age\":10886400,\"endpoints\":[{\"url\":\"https://scotthelme.report-uri.com/a/d/g\"}],\"include_subdomains\":true}",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/introducing-the-reporting-api-nel-other-major-changes-to-report-uri/\" target=\"_blank\">Report-To</a> enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur."
},
{
"key": "x-cache",
"value": "HIT, HIT",
"colour": "#696E76"
},
{
"key": "x-content-type-options",
"value": "nosniff",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options\" target=\"_blank\">X-Content-Type-Options</a> stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is \"X-Content-Type-Options: nosniff\"."
},
{
"key": "x-served-by",
"value": "cache-ams12774-AMS, cache-sjc10072-SJC",
"colour": "#696E76"
},
{
"key": "x-timer",
"value": "S1673381989.462412,VS0,VE1",
"colour": "#696E76"
},
{
"key": "x-xss-protection",
"value": "1; mode=block; report=https://scotthelme.report-uri.com/r/d/xss/enforce",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection\" target=\"_blank\">X-XSS-Protection</a> sets the configuration for the XSS Auditor built into older browsers. The recommended value was \"X-XSS-Protection: 1; mode=block\" but you should now look at <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> instead."
},
{
"key": "x-xss-pwnage",
"value": "<script>alert('XSS');</script>",
"colour": "#696E76"
},
{
"key": "server",
"value": "magic",
"colour": "green",
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#server\" target=\"_blank\">Server</a> value has been changed. Typically you will see values like \"Microsoft-IIS/8.0\" or \"nginx 1.7.2\"."
},
{
"key": "content-encoding",
"value": "gzip",
"colour": "#696E76"
},
{
"key": "X-Frame-Options",
"value": "Header not set, see Additional Information below.",
"colour": "green",
"info": "The XFO header was not sent but frame-ancestors in <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> was used instead."
}
],
"missingHeaders": [],
"validationErrors": {
"Content-Security-Policy": "This policy contains 'unsafe-inline' which is dangerous in the style-src directive. "
},
"upcomingHeaders": {
"Cross-Origin-Embedder-Policy": {
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.",
"key": "Cross-Origin-Embedder-Policy"
},
"Cross-Origin-Opener-Policy": {
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser.",
"key": "Cross-Origin-Opener-Policy"
}
},
"additionalInformation": {
"strict-transport-security": {
"info": "<a href=\"https://scotthelme.co.uk/hsts-the-missing-link-in-tls/\" target=\"_blank\">HTTP Strict Transport Security</a> is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.",
"colour": "green"
},
"content-security-policy": {
"info": "<a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. <a href=\"https://report-uri.com/home/analyse/https%3A%2F%2Fscotthelme.co.uk%2F\" target=\"_blank\">Analyse</a> this policy in more detail.",
"colour": "green"
},
"cross-origin-embedder-policy-report-only": {
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Embedder Policy</a> allows a site to prevent assets being loaded that do not grant permission to load them via CORS or CORP.",
"colour": "green"
},
"cross-origin-opener-policy-report-only": {
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Opener Policy</a> allows a site to opt-in to Cross-Origin Isolation in the browser.",
"colour": "green"
},
"cross-origin-resource-policy": {
"info": "<a href=\"https://scotthelme.co.uk/coop-and-coep/\" target=\"_blank\">Cross-Origin Resource Policy</a> allows a resource owner to specify who can load the resource.",
"colour": "green"
},
"expect-ct": {
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-expect-ct/\" target=\"_blank\">Expect-CT</a> will soon be deprecated and can be removed.",
"colour": "green"
},
"feature-policy": {
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-feature-policy/\" target=\"_blank\">Feature Policy</a> has been renamed to Permissions Policy, see the details <a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">here</a>.",
"colour": "yellow"
},
"nel": {
"info": "<a href=\"https://scotthelme.co.uk/network-error-logging-deep-dive/\" target=\"_blank\">Network Error Logging</a> is a new header that instructs the browser to send reports during various network or application errors. You can sign up for a free account on <a href=\"https://report-uri.com\" target=\"_blank\">Report URI</a> to collect these reports.",
"colour": "green"
},
"permissions-policy": {
"info": "<a href=\"https://scotthelme.co.uk/goodbye-feature-policy-and-hello-permissions-policy/\" target=\"_blank\">Permissions Policy</a> is a new header that allows a site to control which features and APIs can be used in the browser.",
"colour": "green"
},
"referrer-policy": {
"info": "<a href=\"https://scotthelme.co.uk/a-new-security-header-referrer-policy/\" target=\"_blank\">Referrer Policy</a> is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.",
"colour": "green"
},
"report-to": {
"info": "<a href=\"https://scotthelme.co.uk/introducing-the-reporting-api-nel-other-major-changes-to-report-uri/\" target=\"_blank\">Report-To</a> enables the Reporting API. This allows a website to collect reports from the browser about various errors that may occur.",
"colour": "green"
},
"x-content-type-options": {
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-content-type-options\" target=\"_blank\">X-Content-Type-Options</a> stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is \"X-Content-Type-Options: nosniff\".",
"colour": "green"
},
"x-xss-protection": {
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#x-xss-protection\" target=\"_blank\">X-XSS-Protection</a> sets the configuration for the XSS Auditor built into older browsers. The recommended value was \"X-XSS-Protection: 1; mode=block\" but you should now look at <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> instead.",
"colour": "green"
},
"server": {
"info": "<a href=\"https://scotthelme.co.uk/hardening-your-http-response-headers/#server\" target=\"_blank\">Server</a> value has been changed. Typically you will see values like \"Microsoft-IIS/8.0\" or \"nginx 1.7.2\".",
"colour": "green"
},
"X-Frame-Options": {
"info": "The XFO header was not sent but frame-ancestors in <a href=\"https://scotthelme.co.uk/content-security-policy-an-introduction/\" target=\"_blank\">Content Security Policy</a> was used instead.",
"colour": "green"
}
}
}