security.http-headers
Fetch a URL and grade its HTTP security headers. Pass url (scheme optional — defaults to https). Returns an overall letter grade + score, the list of present/missing headers, and a per-header analysis with the live value and specific issues for: Strict-Transport-Security (HSTS max-age/includeSubDomains), Content-Security-Policy (flags 'unsafe-inline'/'unsafe-eval'/missing default-src), X-Frame-Options or CSP frame-ancestors (clickjacking), X-Content-Type-Options (nosniff), Referrer-Policy, Permissions-Policy, and Cross-Origin-Opener/Resource-Policy. Also flags Server/X-Powered-By info disclosure. Analyzed from the target's LIVE response headers through an SSRF-guarded fetch (private/loopback targets refused) — an LLM cannot see a site's current headers. For web-app security review, vendor assessment, and CI gates.
/api/security/http-headersPAYMENT-SIGNATURE.Parameters
| Name | Type | Description |
|---|---|---|
urlrequired | string | min 3 chars · max 2048 chars |
Code samples
# 1. Probe with no auth → 402 envelope with PaymentRequirements curl -sS 'https://2s.io/api/security/http-headers?url=xxx' # 2. Sign + retry with PAYMENT-SIGNATURE: curl -sS 'https://2s.io/api/security/http-headers?url=xxx' \ -H 'PAYMENT-SIGNATURE: <base64-json-payload>' # Or use the canonical runner (handles probe → sign → retry): # EVM_PRIVATE_KEY=0x... node --env-file=.env.local \ # --experimental-strip-types scripts/x402-pay.ts \ # 'https://2s.io/api/security/http-headers?url=xxx'
import { TwoS } from '@2sio/sdk'
const client = new TwoS({
privateKey: process.env.EVM_PRIVATE_KEY as `0x${string}`,
})
const result = await client.security.httpHeaders({
"url": "xxx"
})
console.log('endpoint:', result.endpoint)
console.log('cost:', result.costUsd, 'USDC')
console.log('tx:', result.settlement?.txHash)
console.log('data:', result.data)import os
from twosio import TwoS
client = TwoS(private_key=os.environ["EVM_PRIVATE_KEY"])
result = client.security.http_headers(url="xxx")
print("endpoint:", result.endpoint)
print("cost:", result.cost_usd, "USDC")
print("tx:", (result.settlement or {}).get("tx_hash"))
print("data:", result.data)// 1. Add @2sio/mcp to your MCP host config (Claude Desktop example below).
// EVM_PRIVATE_KEY funds x402 payments per call.
// claude_desktop_config.json
{
"mcpServers": {
"2sio": {
"command": "npx",
"args": ["-y", "@2sio/mcp"],
"env": { "EVM_PRIVATE_KEY": "0x..." }
}
}
}
// 2. Once the server is running, agents call this tool via standard MCP:
{
"jsonrpc": "2.0",
"id": 1,
"method": "tools/call",
"params": {
"name": "security.http-headers",
"arguments": {
"url": "xxx"
}
}
}Response
| Field | Type | Description |
|---|---|---|
ok | boolean | one of: true |
items | array | |
total | integer | Total matching rows upstream; null when unknown. |
source | object |
{
"ok": true,
"items": [
{
"url": "example",
"finalUrl": "example",
"status": 1,
"grade": "example",
"score": 1,
"maxScore": 1,
"present": [
"example"
],
"missing": [
"example"
],
"headers": [
{
"header": "example",
"present": false,
"value": "example",
"weight": 1,
"issues": [
"example"
]
}
],
"infoDisclosure": {
"server": "example",
"xPoweredBy": "example"
},
"note": "example"
}
],
"total": 1,
"source": {
"provider": "example",
"url": "example",
"license": "example"
}
}Discovery
- /api/directory — full catalog of every endpoint
- /openapi.json — OpenAPI 3.1 spec (per-op x-payment-info, x402Payment security)
- /.well-known/x402 — machine-readable service descriptor for x402-aware crawlers
- /.well-known/mcp/server-card.json — MCP SEP-1649 server card
- /llms.txt — plain-text manifest for LLM ingestion