M
API Matrix

Mozilla http scanner API

⭐ Beginner's Pick Security / No Auth Required Beginner HTTPS
Free to Use Varies (check documentation)
82 Score
Grade A
Visit Official Site Compare Alternatives

Overview

Mozilla's HTTP Observatory API scans websites and grades their HTTP security configuration, checking for headers like CSP, HSTS, X-Frame-Options, and more. It is completely free with no authentication required, making it an excellent tool for developers who want to audit and improve their site's security posture. The API powers the observatory.mozilla.org web interface.

💡

Beginner Tip

Trigger a new scan with a POST request, then retrieve results with a GET request using the same hostname. Results are cached, so if you need a fresh scan, set the "rescan" flag to true in your POST body.

Available Data

Mozilla http scanner data via REST API
JSON-formatted response data
Freely accessible without authentication

Example Response

JSON Response 
{
  "status": "success",
  "data": {
    "result": "Data from Mozilla http scanner",
    "description": "Mozilla observatory http scanner",
    "timestamp": "2025-01-15T10:00:00Z"
  }
}

Field Reference

grade Letter grade for the site's HTTP security (A+ to F).
score Numeric security score out of 100.
state Current scan state: PENDING, RUNNING, FINISHED, or FAILED.
tests_passed Number of individual security header tests that passed.
tests_failed Number of security header tests that failed.

Implementation Example 

// ⚠️ Note: This URL may be a documentation page. Check official docs for actual API endpoint.
const url = "https://github.com/mozilla/http-observatory/blob/master/httpobs/docs/";
const response = await fetch(url);
if (!response.ok) throw new Error(`Request failed: ${response.status}`);
const data = await response.json();
console.log(data);

What Can You Build?

Note: These code examples are AI-generated and unverified. Always refer to the official API documentation for accurate usage.

Common Errors & Troubleshooting

Scanner returns "pending" state The scan has been queued but not yet completed — results take a few seconds to generate.
Poll the GET endpoint every 2-3 seconds until the state changes from "PENDING" or "RUNNING" to "FINISHED".
Score lower than expected Missing or misconfigured HTTP security headers on the target site.
Review the "tests" object in the response — each failed test explains which header is missing and links to documentation.
Host not reachable error The scanned domain is not publicly accessible or is blocking Mozilla's scanner IPs.
Ensure the site is live and accessible from the public internet before submitting a scan.

Matrix Score Breakdown

🌐 Reachability 30/30
⚡ Speed 15/20
🔒 Security 15/15
🛠 Developer XP 15/20
✓ Reliability 7/15
Response Time 295ms

Fully tested on Apr 5, 2026

Technical Specifications

Auth No Auth
HTTPS REQUIRED
CORS UNKNOWN
Category Security
Difficulty Beginner
Verified: 2026-04-07

Similar APIs

View All →

Classify

0

Classify provides programmatic access to encrypting & decrypting text messages via REST API.

No Auth Beginner HTTPS 1ms

Dehash.lt

0

Dehash.lt provides programmatic access to hash decryption md5, sha1, sha3, sha256, sha384, sha512 via REST API.

No Auth Beginner HTTPS 52ms

EmailRep

⭐ Beginner's Pick
95

EmailRep is a free API that evaluates the risk and reputation of an email address in seconds.

No Auth Beginner HTTPS 36ms

Escape

⭐ Beginner's Pick
84

EscapeAPI is a simple open-source utility API that takes raw user input and returns properly escaped versions safe for use in HTML, SQL, shell, and other contexts.

No Auth Beginner HTTPS 80ms

FilterLists

⭐ Beginner's Pick
87

FilterLists is a community-maintained directory API that catalogs hundreds of filter lists used by ad blockers and firewalls like uBlock Origin and Pi-hole.

No Auth Beginner HTTPS 83ms