Skip to Content
Research with Our Labs
ReconnaissanceSecurity Headers AnalyzerSecurity Headers Analyzer – Endpoint

Security Headers Analyzer – Endpoint

Base URL

https://api.rsch.io

Path

/api/v1/recon/headers

Method

GET

Query Parameters

  • domain – Required. Domain or full URL, for example testphp.vulnweb.com or https://testphp.vulnweb.com.

Example Request

GET https://api.rsch.io/api/v1/recon/headers?domain=testphp.vulnweb.com

Responses follow the standard API envelope:

{
  "status": "success",
  "request_id": "aff0bf5d-5134-4245-8037-3b5a0dc9d646",
  "date": "2025-11-19 08:19:51",
  "duration": 0.131566762924194,
  "data": {
    "input": "http://testphp.vulnweb.com/",
    "url": "http://testphp.vulnweb.com/",
    "final_url": "http://testphp.vulnweb.com/",
    "status_code": 200,
    "host": "testphp.vulnweb.com",
    "headers": {
      "content_security_policy": {
        "present": false,
        "value": null,
        "status": "FAIL",
        "icon": "❌",
        "notes": "Header is missing."
      },
      "x_frame_options": {
        "present": false,
        "value": null,
        "status": "FAIL",
        "icon": "❌",
        "notes": "Header is missing (clickjacking risk)."
      },
      "x_content_type_options": {
        "present": false,
        "value": null,
        "status": "FAIL",
        "icon": "❌",
        "notes": "Header is missing (MIME sniffing risk)."
      },
      "referrer_policy": {
        "present": false,
        "value": null,
        "status": "FAIL",
        "icon": "❌",
        "notes": "Header is missing (referrer handling not strictly controlled)."
      },
      "strict_transport_security": {
        "present": false,
        "value": null,
        "status": "FAIL",
        "icon": "❌",
        "notes": "HSTS header is missing."
      },
      "permissions_policy": {
        "present": false,
        "value": null,
        "status": "WARN",
        "icon": "⚠️",
        "notes": "Permissions-Policy / Feature-Policy is missing. This header is optional but recommended to limit browser features."
      },
      "x_xss_protection": {
        "present": false,
        "value": null,
        "status": "WARN",
        "icon": "⚠️",
        "notes": "X-XSS-Protection is missing. Note: this header is deprecated in modern browsers, so absence is usually acceptable."
      },
      "cross_origin_opener_policy": {
        "present": false,
        "value": null,
        "status": "WARN",
        "icon": "⚠️",
        "notes": "COOP is not set (affects browsing context isolation)."
      },
      "cross_origin_resource_policy": {
        "present": false,
        "value": null,
        "status": "WARN",
        "icon": "⚠️",
        "notes": "CORP is not set (controls cross-origin resource loading)."
      },
      "cross_origin_embedder_policy": {
        "present": false,
        "value": null,
        "status": "WARN",
        "icon": "⚠️",
        "notes": "COEP is not set. It is mainly relevant for advanced use cases such as SharedArrayBuffer."
      },
      "server_info": {
        "present": true,
        "status": "WARN",
        "icon": "⚠️",
        "value": {
          "server": "nginx/1.19.0",
          "x_powered_by": "PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1"
        },
        "notes": "Server: nginx/1.19.0 | X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1"
      }
    }
  }
}

On error, the envelope contains an error field with a human-readable message.

Last updated on
Redirect & Navigation – SummarySecurity Headers Analyzer - Summary