API Documentation

All endpoints return JSON by default. Browsers receive an HTML view via content negotiation (Accept: text/html). No authentication required. Rate limited to 60 requests/hour per IP for scans.

GET /{domain}

Full scan — security headers, CSP, CORS, redirect chain, cache behavior. Returns HTML for browsers, JSON for everything else.

GET /{domain}/cors

CORS-focused scan — preflight simulation, origin reflection detection.

GET /{domain}/csp

CSP analysis — directive parsing, bypass detection, grading.

GET /{domain}/headers

Security headers only — HSTS, XFO, XCTO, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP.

GET /{domain}/chain

Redirect chain — follow up to 20 hops, per-hop timing, loop/mixed-content detection.

GET /{domain}/cache

Cache behavior — Cache-Control parsing, TTL, Vary, CDN detection.

POST /cors

CORS simulation. Body: {"target":"…","origin":"…","method":"GET","headers":[],"credentials":false}

Try the interactive simulator →

POST /error

CORS error decoder. Body: {"error":"paste browser console error here"}

POST /csp/evaluate

Evaluate a CSP string. Body: {"policy":"default-src 'self'; script-src …"}

Response format

All domain scan responses include _meta.links pointing to yoke.lol (full report), certs.lol (TLS), and ns.lol (DNS) for deeper analysis.