HTTP headers + security analysis

Fetch a URL and return every response header plus a security analysis: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP/COEP. Scores 0–100 by presence, flags weak HSTS, and warns on Server/X-Powered-By identity leaks. SSRF-protected.

Input

Field	Type	Description
url *	string	Public http(s) URL to probe
method	string	GET or HEAD (default GET)

Example output

{
  "url": "https://example.com/",
  "finalUrl": "https://example.com/",
  "status": 200,
  "statusText": "OK",
  "redirected": false,
  "httpVersion": null,
  "headers": {
    "content-type": "text/html; charset=UTF-8",
    "server": "ECAcc (nyd/D17C)"
  },
  "security": {
    "score": 0,
    "findings": [
      {
        "header": "HSTS",
        "present": false,
        "value": null
      }
    ],
    "warnings": [
      "Server header leaks identity: ECAcc (nyd/D17C)"
    ]
  },
  "fetchedAt": "2026-06-19T22:00:00.000Z"
}

Try it — see the 402 challenge (free)

curl -i -X POST https://agent402.tools/api/http-headers \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}'

The response is HTTP 402 Payment Required with exact payment requirements. Any x402 v2 client pays automatically and retries:

Paid call (JavaScript agent)

import { wrapFetchWithPayment } from "@x402/fetch";
import { x402Client } from "@x402/core/client";
import { registerExactEvmScheme } from "@x402/evm/exact/client";
import { privateKeyToAccount } from "viem/accounts";

const client = new x402Client();
registerExactEvmScheme(client, { signer: privateKeyToAccount(KEY) });
const payFetch = wrapFetchWithPayment(fetch, client);

const res = await payFetch("https://agent402.tools/api/http-headers", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
    "url": "https://example.com"
  }),
});

Wallet-only. This tool reaches the network/browser/storage, so it is paid in USDC via x402 (no proof-of-work tier).

Related tools