🚀 Experience the new and improved APIVoid! Check out what's new
A JSON API to analyze HTTP security headers and detect missing protections such as Content-Security-Policy, HSTS, X-Content-Type-Options, and X-Frame-Options. Use this API to quickly evaluate a website's security posture and identify misconfigured or absent headers that could expose applications to common web attacks.
Consumes 2 credits per API call
# Example Curl request from the command line:
curl -X POST "https://api.apivoid.com/v2/security-headers" \
-H "Content-Type: application/json" \
-H "X-API-Key: YOUR_API_KEY_HERE" \
-d '{"url": "https://www.stripe.com/"}'
# Example JSON output for a 200 HTTP status code:
{
"url": "https://stripe.com/",
"final_url": "https://stripe.com/en-fi",
"ip": "54.76.53.164",
"status_code": 200,
"response_note": "",
"connection_error": false,
"access_restricted": false,
"response_headers": {
"content-security-policy": [
"base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ%3D"
],
"content-type": [
"text/html; charset=utf-8"
],
"cross-origin-opener-policy": [
"same-origin-allow-popups; report-to=\"wsp_coop\""
],
"cross-origin-opener-policy-report-only": [
"same-origin-allow-popups; report-to=\"wsp_coop\""
],
"date": [
"Tue, 17 Mar 2026 15:46:41 GMT"
],
"referrer-policy": [
"no-referrer-when-downgrade"
],
"report-to": [
"{\"group\":\"wsp_coop\",\"max_age\":8640,\"endpoints\":[{\"url\":\"https://q.stripe.com/coop-report?s=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ=\"}],\"include_subdomains\":true},{\"group\":\"wsp_coep\",\"max_age\":8640,\"endpoints\":[{\"url\":\"https://q.stripe.com/coep-report?s=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ=\"}],\"include_subdomains\":true}"
],
"reporting-endpoints": [
"coop=\"https://q.stripe.com/coop-report\", wsp_coop=\"https://q.stripe.com/coop-report?s=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ=\",wsp_coep=\"https://q.stripe.com/coep-report?s=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ=\""
],
"server": [
"nginx"
],
"strict-transport-security": [
"max-age=63072000; includeSubDomains; preload"
],
"x-content-type-options": [
"nosniff"
],
"x-frame-options": [
"SAMEORIGIN"
],
"x-mkt-cache": [
"HIT"
],
"x-stripe-proxy-response": [
"upstream"
],
"x-stripe-server-rpc-duration-micros": [
"44130"
],
"x-wc": [
"ABCDEFGHIJ"
]
},
"security_headers": [
{
"name": "strict-transport-security",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security",
"found": true,
"value": [
"max-age=63072000; includeSubDomains; preload"
],
"issues": []
},
{
"name": "content-security-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP",
"found": true,
"value": [
"base-uri 'none'; child-src 'none'; connect-src https://c.increment.com https://c.stripe.dev https://c.stripe.global https://c.stripe.partners blob: https://b.stripecdn.com https://errors.stripe.com https://ext.stripe.com https://r.stripe.com https://stripe-images.s3.us-west-1.amazonaws.com https://stripe.com 'self'; default-src 'none'; font-src https://b.stripecdn.com 'self'; form-action https://stripe.com 'self'; frame-ancestors https://app.contentful.com 'self'; frame-src https://b.stripecdn.com https://js.stripe.com https://support-conversations.stripe.com 'self'; img-src data: https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://images.ctfassets.net https://images.stripeassets.com https://q.stripe.com 'self'; manifest-src 'none'; media-src https://assets.ctfassets.net https://assets.stripeassets.com https://b.stripecdn.com https://videos.ctfassets.net https://videos.stripeassets.com 'self'; object-src 'none'; script-src https://b.stripecdn.com https://js.stripe.com 'self' 'sha256-3aWvb9tRBjmz1OjR3n7mwiTm94+s4iki4mMZF82asmc=' 'sha256-5LtzXhT7UFn+GqP5pKEMGL08UNZsrzANHFEBW/mQHGw=' 'sha256-beLzNcen8LrazzSCRjAapoIMTgJI0osPWGNSX7aK6lc=' 'sha256-cCM0Z4lzGkzQnmbdVw+ouz0JRawyaKcZ4yiqzqYS7ek=' 'sha256-vTifGUJH6hJYTvstw4xJ4xfr/vE0ELkOV4GpCumyqfg=' 'sha256-KxhSaxKB5RFTQsqfRwp+zG7iLjvMrTAySqnSvWlqct0=' 'sha256-tMuJ8c00j54yuxogrdIJeGhNVB350dc56i969XRz/Mc=' 'sha256-aEFSvCaVnb2wNwuO3IzA8J44RdTKt6vms9beA7BcCYg=' 'sha256-0SWEc2BfR2o77i2vUiNNIrFKQkjc2Ujsr2hlfZ6oUek=' 'report-sample'; style-src https://b.stripecdn.com 'self' 'unsafe-inline'; worker-src https://b.stripecdn.com 'self'; upgrade-insecure-requests; report-uri https://q.stripe.com/csp-violation?q=s19Fnq91o9H4NDVx-N7qNHjvHjJd5CM9iCDBgcEd6Ky75-HIBDtVZY0Veb2cUyQ%3D"
],
"issues": []
},
{
"name": "x-content-type-options",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Content-Type-Options",
"found": true,
"value": [
"nosniff"
],
"issues": []
},
{
"name": "x-xss-protection",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection",
"found": false,
"value": [],
"issues": [
{
"code": "MISSING_X_XSS_PROTECTION",
"message": "X-XSS-Protection header is missing. This is acceptable as the header is deprecated.",
"type": "information"
}
]
},
{
"name": "referrer-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy",
"found": true,
"value": [
"no-referrer-when-downgrade"
],
"issues": [
{
"code": "REFERRER_POLICY_WEAK",
"message": "Referrer-Policy 'no-referrer-when-downgrade' may leak referrer to third-party origins over HTTPS.",
"type": "information"
}
]
},
{
"name": "permissions-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Permissions-Policy",
"found": false,
"value": [],
"issues": [
{
"code": "MISSING_PERMISSIONS_POLICY",
"message": "Permissions-Policy header is missing.",
"type": "error"
}
]
},
{
"name": "x-frame-options",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options",
"found": true,
"value": [
"SAMEORIGIN"
],
"issues": []
},
{
"name": "cross-origin-opener-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy",
"found": true,
"value": [
"same-origin-allow-popups; report-to=\"wsp_coop\""
],
"issues": []
},
{
"name": "cross-origin-embedder-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy",
"found": false,
"value": [],
"issues": [
{
"code": "MISSING_COEP",
"message": "Cross-Origin-Embedder-Policy header is missing. Required alongside COOP for full cross-origin isolation.",
"type": "information"
}
]
},
{
"name": "cross-origin-resource-policy",
"reference": "https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Resource-Policy",
"found": false,
"value": [],
"issues": [
{
"code": "MISSING_CORP",
"message": "Cross-Origin-Resource-Policy header is missing. Consider setting it to control which origins can load your resources.",
"type": "information"
}
]
}
],
"cors": {
"present": false,
"configuration": {
"allow_origin": "",
"allow_credentials": false,
"allow_methods": [],
"allow_headers": [],
"expose_headers": [],
"max_age": 0
},
"issues": []
},
"information_leakage": [
{
"name": "server",
"found": true,
"value": [
"nginx"
],
"issues": []
}
],
"duplicate_headers": [],
"cookies": [],
"summary": {
"security_headers": {
"checked": 10,
"found": 6,
"missing": 4
},
"issues": {
"errors": 1,
"warnings": 0,
"information": 4
}
},
"score": 94,
"max_score": 100,
"grade": "A",
"elapsed_ms": 524
}
Key Features
Businesses and developers use this Security Headers API to quickly analyze websites, detect missing or misconfigured headers, and identify security issues such as information leakage or weak configurations.
Check important HTTP security headers like Content-Security-Policy, HSTS, X-Content-Type-Options.
Detect missing or weak headers that could expose to clickjacking, MIME sniffing, or scripting attacks.
Identify HTTP to HTTPS redirects, HTTP accessibility, and server headers that leak software versions.
Get a security score up to 100 and a grade up to A+ based on headers, cookie security, and overall analysis.
Common Use Cases
Our API can be applied in many scenarios, from security monitoring to development workflows. Below are some of the most common ways our customers use the Security Headers API:
Automatically analyze HTTP security headers to detect missing protections such as CSP, HSTS.
Continuously monitor websites for misconfigured headers that could expose applications to web attacks.
Enrich SIEM events or security alerts with HTTP header analysis and HTTPS enforcement information.
Assess website security posture by reviewing headers, cookie attributes and information leakage.
USAGE EXAMPLE
All it takes is a HTTPS POST request with JSON payload to our endpoint, and you’ll receive the response within seconds, usually within 1-3 seconds. Here are a few code examples to use the API:
$url = 'https://www.stripe.com/';
$apiUrl = 'https://api.apivoid.com/v2/security-headers';
$apiKey = 'your_api_key_here';
$ch = curl_init($apiUrl);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HTTPHEADER, ['Content-Type: application/json', 'X-API-Key: ' . $apiKey]);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, json_encode(['url' => $url]));
$response = curl_exec($ch);
$httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);
if ($httpCode === 200) {
$responseData = json_decode($response, true);
print_r($responseData);
} else {
print_r('An error occurred: '.$response);
}Create your account, pick a subscription plan, and make your first API call instantly with your API key—simple as that!
Get started now