Docs · Intelligence

Response headers + security grade

Fetch a URL, return every response header, score the security headers A–F.

POST /v1/intel/headers

One GET against the target URL. Returns the full response header list (multi-value headers preserved) plus a 0–100 security score derived from HSTS, CSP, X-Content-Type-Options, X-Frame-Options (or CSP frame-ancestors), Referrer-Policy, Permissions-Policy, COOP, and CORP. A 90+ score earns an A; a 0–39 score earns an F. Useful for compliance audits and pre-launch checks. Tight timeouts (15 s total) keep the call interactive.

Supported

8 standard browser-security headers, with CSP frame-ancestors counted as equivalent to X-Frame-Options.

Not supported

We do not validate CSP directive correctness, score Subresource Integrity, or check certificate transparency. For deep audits chain to a dedicated scanner.

Parameters

Name	Type	Required	Default	Description
url	string	yes	—	URL to inspect. Must include scheme (http/https).

Request

curl -X POST https://api.qcrawl.com/v1/intel/headers \
  -H "Authorization: Bearer osk_..." \
  -d '{"url": "https://anthropic.com"}'

Response

{
  "status": "success",
  "url": "https://anthropic.com",
  "final_status": 200,
  "elapsed_ms": 187,
  "headers": [
    ["content-type", "text/html; charset=utf-8"],
    ["strict-transport-security", "max-age=31536000; includeSubDomains; preload"],
    ...
  ],
  "header_count": 18,
  "security_grade": {
    "score": 85,
    "grade": "B",
    "present": [{"header": "strict-transport-security", "points": 25, "value": "..."}, ...],
    "missing": [{"header": "cross-origin-opener-policy", "points": 5, "note": "COOP — process isolation"}]
  }
}

Errors

Code	Meaning
400	URL targets a private or reserved IP (blocked by SSRF guard).
500	Connection failed or upstream timeout.

POST /v1/intel/ssl

SSL certificate

POST /v1/intel/uptime

Uptime probe

POST /v1/intel/redirects

Redirect chain trace

Response headers + security grade

Parameters

Request

Response

Errors

Related