Audit HTTP security headers for any domain via a pay-per-call x402 endpoint.
What it does
The Domain Headers endpoint (`/domain/headers`) is part of the Domain Intelligence API hosted at domain.hugen.tokyo. It performs a security header audit on a given domain, checking for the presence and configuration of HTTP security headers (e.g., Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, etc.). The probe's sample response indicates it returns a count of headers present vs. total expected, an overall letter grade, and flags for information leakage such as exposed server version strings.
This is one of seven individual domain intelligence checks available through the API, alongside WHOIS, DNS, SSL, tech stack, subdomain discovery, and redirect tracing. A combined `/domain/full` endpoint runs all seven in parallel. Each endpoint is paid via the x402 protocol at $0.01 USDC per call on the Base network. Alternative access methods include an MCP gateway, API key with free trial credit, and a Python SDK (`x402-pay`).
The API is live and returns a 402 payment challenge as expected for x402 endpoints. An OpenAPI 3.1 spec is available, though response schemas for the paid endpoints are not fully defined (empty schema objects). The sample challenge response for `/domain/headers` shows fields like `headers_present`, `headers_total`, `grade`, and `information_leakage`, giving a reasonable picture of the output structure.
Capabilities
Use cases
- —Auditing a website's HTTP security headers before deployment or during a security review
- —Automated monitoring of security header compliance across a portfolio of domains
- —Checking for information leakage via server version headers
- —Generating security grades for domain inventories in compliance workflows
- —Integrating header security checks into CI/CD pipelines via agent-driven calls
Fit
Best for
- —Quick, single-domain security header audits without tool setup
- —AI agents needing programmatic security header data via pay-per-call
- —Developers who want a simple GET request to assess header posture
Not for
- —Deep penetration testing or vulnerability scanning beyond headers
- —Bulk scanning thousands of domains at high throughput (per-call pricing adds up)
- —Offline or air-gapped environments that cannot reach external APIs
Quick start
pip install x402-pay
import x402_pay
r = x402_pay.get('https://domain.hugen.tokyo/domain/headers?domain=example.com')
print(r.json())Example
Response
{
"grade": "B",
"headers_total": 10,
"headers_present": 7,
"information_leakage": {
"server": "nginx/1.25.0"
}
}Endpoint
Quality
The endpoint is live (402 challenge captured) with an OpenAPI spec and clear pricing ($0.01 USDC on Base). However, response schemas are empty in the spec, and the only response example comes from the x402 challenge sample rather than actual documentation. No dedicated docs page for this specific endpoint exists beyond the Swagger UI listing.
Warnings
- —Response schema is not defined in the OpenAPI spec (empty schema object)
- —The example response is inferred from the x402 challenge sample, not from official documentation
- —No dedicated pricing page found; price sourced solely from the 402 challenge notice
Citations
- —The API is described as '7 domain intelligence checks in one API — WHOIS, DNS, SSL, tech stack, security headers, subdomains, redirects'https://domain.hugen.tokyo/docs
- —The /domain/headers endpoint accepts a required 'domain' query parameterhttps://domain.hugen.tokyo/openapi.json
- —Payment required is $0.01 USDC on Base per callhttps://domain.hugen.tokyo/domain/headers
- —Alternative access via MCP gateway at https://mcp.hugen.tokyo/mcp, API key, or x402-pay Python SDKhttps://domain.hugen.tokyo/domain/headers
- —Sample response includes headers_present, headers_total, grade, and information_leakage fieldshttps://domain.hugen.tokyo/domain/headers