Security Scanner
Enter any public URL and get a real-time security header audit. Checks 9 HTTP security headers, scores them individually, and returns an overall A–F grade. The API validates and sanitises all input, blocks private/internal URLs (SSRF prevention), and runs entirely on Vercel Edge — no external dependencies.
Try it live →Headers checked
9
Grading
A–F
SSRF protection
Yes
Latency
< 2s
How it works
What It Checks
Nine security-critical headers: HTTPS enforcement, Strict-Transport-Security (HSTS with max-age validation), Content-Security-Policy (CSP), X-Content-Type-Options (nosniff), X-Frame-Options / CSP frame-ancestors (clickjacking), Referrer-Policy, Permissions-Policy, Server header disclosure, and X-Powered-By disclosure. Each gets an individual pass/warn/fail/info verdict.
Scoring
Score is the percentage of non-informational checks that pass. Grade thresholds: A (90%+), B (75%+), C (60%+), D (40%+), F (below 40%). Warnings and failures both reduce the score. Informational findings (like server disclosure) are shown but don't affect the grade.
API Design
Single POST endpoint accepts a URL string. Input normalised (auto-prepends https:// if missing), parsed with URL constructor, validated against SSRF patterns. Tries HTTP HEAD first, falls back to GET if HEAD is blocked. 10-second timeout with AbortController. Returns structured JSON with grade, score, response time, and per-header findings array.
Security
- SSRF prevention: blocks localhost, private IP ranges (10.x, 172.16-31.x, 192.168.x), .local, .internal
- Protocol whitelist: only HTTP and HTTPS allowed
- URL length capped at 2048 characters
- 10-second request timeout prevents slow-loris abuse
- No user data stored — stateless scan and discard
- HEAD-first strategy minimises bandwidth to target
Want something like this built for your business?
I'll look at your problem, figure out the right approach, and ship working software. No slideshows.
Book a free consultation