How much does Headers Audit cost?

Headers Audit costs 3 sats per call.

The endpoint checks CSP, HSTS, CORS, X-Frame-Options, Referrer-Policy, Permissions-Policy, cookie flags, server leaks, and related HTTP hardening signals.

Does it return a score?

Yes. The response includes an overall hardening score along with the underlying findings.

Headers Audit API • Live on Signet test network only

Audit HTTP security headers in one call.

Use a funded Signet session to inspect the security headers on any public URL and get a normalized hardening score with findings for CSP, HSTS, CORS, cookie flags, and related controls.

3 sats / call

POST /api/headers

Hardening score

What It Does

Headers Audit checks whether a public URL is sending the main browser-facing security headers you would expect on a hardened deployment. It is designed for quick reviews, automation, and agent workflows that need structured findings instead of manual header inspection.

Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
Looks at cookie security flags and common server disclosure issues
Returns a normalized hardening score with findings
Useful for defensive reviews and regression checks after deployment changes

Why It Helps

Raw response headers are easy for humans to read once, but they are not a great automation primitive. This endpoint turns a live header fetch into a compact security posture summary that is easier to compare, alert on, or feed into a broader domain review workflow.

Good fit for quick URL hardening checks
Useful inside broader triage or domain-intel pipelines
Cheap enough for repeated regression checks
Current deployment is Signet only

Example Request

curl -X POST https://arkapi.dev/api/headers \
  -H "Authorization: Bearer ak_your_token" \
  -H "Content-Type: application/json" \
  -d '{"url":"https://example.com"}' | jq

Use a funded token from the Fund page. The endpoint is also documented in /openapi.json for agents and wrappers.

Example Body

{
  "url": "https://example.com"
}

url is required
Target must be a public URL
Private, loopback, and metadata targets are rejected

Example Response

{
  "success": true,
  "data": {
    "url": "https://example.com",
    "score": 72,
    "https": true,
    "headers": {
      "content_security_policy": true,
      "strict_transport_security": true,
      "x_frame_options": true,
      "referrer_policy": false
    },
    "findings": [
      "Referrer-Policy header missing",
      "Server header leaks implementation details"
    ]
  },
  "cost_sats": 3,
  "response_ms": 88,
  "endpoint": "/api/headers"
}

Good Uses

Quick hardening checks after config or CDN changes
Regression testing for security headers across environments
Adding HTTP posture into security reports and dashboards
Giving agents a simple headers-audit primitive instead of raw parsing

For broader platform usage, see the main docs and the live catalog.