API Marketplace

Validate and decode Indian GSTINs (the 15-character Goods & Services Tax Identification Number) instantly and entirely offline. The validate endpoint checks the structure and recomputes the official GSTIN check digit — the base-36 weighted algorithm the GSTN itself uses — and confirms the embedded state code is real, returning a clear valid/invalid verdict with the specific reasons a number fails. The decode endpoint breaks a GSTIN into its parts: the GST state/UT code and its name, the embedded 10-character PAN, the PAN holder type (company, individual/proprietor, firm/LLP, HUF, trust, government and more, read from the PAN's 4th letter), the entity registration number, the default 'Z' slot and the check digit. A states endpoint returns the full GST state-code reference for building dropdowns and lookups. Everything is pure computation — no network call, no key, no cache — so it is fast and private, ideal for checkout and onboarding forms, invoicing and e-invoice/e-way-bill pipelines, vendor master data cleansing and bulk validation. A structural GSTIN validator and decoder — distinct from EU VAT-number validation (vat), IBAN bank-account validation (iban) and card-number checks (creditcard). Note: this verifies the number's structure and check digit, not whether it is actively registered in the GSTN portal. No upstream key, no cache.

Tempo di attività

100.0%

Latenza

92ms

Abbonati

3,943

Fetch and evaluate any publisher's ads.txt / app-ads.txt — the IAB authorized-digital-sellers standard. Pass a domain and the check endpoint fetches its ads.txt server-side, then returns every seller record parsed into its fields — advertising system, the publisher's seller/account id, the DIRECT or RESELLER relationship and the optional certification-authority id (TAG-ID) — alongside counts (direct, reseller, distinct ad systems) and the declared variables OWNERDOMAIN, MANAGERDOMAIN, CONTACT and SUBDOMAINS. The verify endpoint answers the one question programmatic-advertising integrations actually ask: is this advertising system, with this publisher id, authorized to sell this domain's inventory? — returning an authorized boolean and the matching records. A missing file is reported as found:false (not an error), and soft-404 HTML pages are detected and rejected so you never parse a "page not found" as records. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for ad-tech supply-chain verification, SSP/DSP onboarding checks, anti-fraud and inventory audits. An ads.txt seller-authorization checker — distinct from the security-contact file reader (securitytxt), the robots.txt crawlability evaluator (robots) and the sitemap parser (sitemap). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

159ms

Abbonati

4,867

Fetch and parse an XML sitemap (the sitemaps.org protocol). Pass a sitemap URL and the parse endpoint fetches it — following redirects and transparently gunzipping .gz sitemaps — and returns its type: a urlset with every URL and its lastmod, changefreq and priority, or a sitemapindex listing the child sitemaps, with offset/limit paging for large files. The urls endpoint goes further: when the sitemap is an index it fetches the child sitemaps too and flattens every page URL into a single list, with a configurable cap on URLs and child sitemaps and a truncated flag so you stay in control. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, building crawl queues and content inventories, change monitoring and migration checks. A sitemap fetcher and parser — distinct from generic XML-to-JSON conversion (xml), the robots.txt evaluator (robots) and the on-page SEO audit (seo). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

1621ms

Abbonati

3,297

Fetch and evaluate any website's robots.txt. Pass a URL and a user-agent and the check endpoint tells you whether that URL is crawlable — selecting the most-specific user-agent group and applying the RFC 9309 longest-match Allow/Disallow rules (with * and $ wildcards, where Allow wins ties), and returning the matched rule, the group's crawl-delay and the sitemaps the site declares. The parse endpoint returns the whole file structured into per-user-agent groups (their allow and disallow lists and crawl-delay) plus the list of sitemaps. A missing robots.txt (404/403) means everything is allowed, exactly as the spec requires. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, crawler and scraper compliance, sitemap discovery and pre-flight "am I allowed to fetch this?" checks. A robots.txt evaluator — distinct from the on-page SEO audit (seo), the XML toolkit (xml) and link unfurling/preview (url). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

115ms

Abbonati

4,091

Count and split text the way people actually read it, using Unicode-correct segmentation. The count endpoint returns the number of grapheme clusters — the real, user-perceived characters, so a family emoji counts as 1 (not 7) and an accented letter as 1 — alongside words, sentences, code points, UTF-16 code units (the naive string length that over-counts) and UTF-8 byte length. This is exactly what character-limit fields, tweet/SMS counters and validation need so the count agrees with what the user sees. The segment endpoint splits text into grapheme, word or sentence segments (word segments are flagged word-like versus punctuation and spaces) and is locale-aware, so Japanese, Chinese and Thai word boundaries come out right. Everything is computed locally with no network calls. A Unicode text segmenter — distinct from the Unicode codepoint database (unicode), the case/text-utilities toolkit (text) and string similarity (similarity). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

86ms

Abbonati

3,876

Get the localized display name of a code in any language — countries and regions, languages, currencies, scripts and calendars. Pass a code, a type and a locale and the name endpoint returns the right name: US as region in fr gives "États-Unis", de as language in fr gives "allemand", EUR as currency gives "Euro", and the same code reads correctly in German, Japanese, Arabic or any other locale. The list endpoint returns every code of a type localized and sorted in that locale's collation — ideal for building a country, language or currency dropdown in any language. Powered by the platform's full ICU data (Intl.DisplayNames) and computed locally with no network calls. Built for internationalised forms and pickers, multilingual UIs, localized reports and onboarding. A localized-names resolver — distinct from country reference data in English (countries), number and currency formatting (numberformat) and locale date formatting (datelocale). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

105ms

Abbonati

4,616

Humanise timestamps and format dates for any locale and timezone using full ICU. The relative endpoint turns an instant into a localised relative phrase against now (or a given reference time) — "3 hours ago", "vor 3 Stunden", "in 2 days", "il y a 5 minutes" — automatically choosing the best unit from seconds to years. The format endpoint renders a localised date/time string (e.g. "mardi 2 juin 2026 à 15:30" or "2026年6月2日 22:30:00"), honouring the locale (BCP 47), a named IANA timezone, the chosen date and time styles (full/long/medium/short) and 12/24-hour preference, and returns a parts breakdown for custom displays. Pass dates as ISO 8601 or unix timestamps. Everything is computed locally with no network calls. Ideal for internationalised UIs, activity feeds, notifications, comments and dashboards. A relative-time and locale date formatter — distinct from current-time-in-a-timezone (time), the UTC parse/token toolkit (datetime) and number/currency formatting (numberformat). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

80ms

Abbonati

3,530

Format numbers for any locale using full ICU data — the correct way to display money, percentages and measurements per region. Pass a value and a style and the format endpoint returns the locale-correct string: decimal, currency (any ISO 4217 code, with the right symbol and grouping — e.g. 1.234.567,89 € in de-DE, $1,234,567.89 in en-US, ￥1,234,567 in ja-JP, and the Indian lakh grouping 12,34,567.89 in hi-IN), percent, or unit (e.g. 80 km/h). Control the locale (BCP 47), minimum/maximum fraction digits, grouping, sign display and notation (standard, scientific, engineering or compact like 1.2M). A parts endpoint returns the formatToParts breakdown (integer, group, decimal, fraction, currency symbol…) for building custom-styled displays. Everything is computed locally with no network calls. Ideal for internationalised UIs, invoices and receipts, dashboards and reports. A locale number/currency formatter — distinct from foreign-exchange rates (currency), number-to-words (numberwords) and the numeral-base converter (baseconvert). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

82ms

Abbonati

4,304

Convert integers between any numeral systems with exact big-integer math. Pass a number and a from/to base (radix 2 to 36, arbitrarily large, signed) and the convert endpoint returns the result and the decimal value; common 0x, 0b and 0o prefixes are accepted when they match the base, and whitespace or underscores in the input are ignored. The bases endpoint shows a single number across binary, octal, decimal, hexadecimal, base32 and base36 at once, together with its bit length, byte length and sign. Everything is computed locally with BigInt, so values of any size are exact and deterministic. Ideal for low-level and embedded debugging, networking and bit-twiddling work, teaching number systems, and anywhere you juggle hex, binary and decimal. A numeral-base converter — distinct from the text-encoding toolkit (encoding: base64/base32/hex of bytes), the Elixir/Erlang Hex package registry (hex) and number-to-words (numberwords). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

78ms

Abbonati

4,231

Transforme um endereço de e-mail em seu avatar Gravatar e perfil público. Passe um e-mail e o serviço o normaliza, calcula os hashes MD5 e SHA-256 que o Gravatar usa, constrói uma URL de avatar pronta para uso, verifica se um Gravatar personalizado realmente existe e busca o perfil público quando presente — nome de exibição, nome de usuário, URL do perfil, localização, texto sobre, contas vinculadas e fotos. Um endpoint de avatar dedicado constrói apenas a URL da imagem com opções completas: tamanho (1-2048), uma imagem padrão (identicon, monsterid, robohash, retro, mp, blank, 404 ou sua própria URL), classificação e força-padrão. Ideal para enriquecimento de perfil de usuário, sistemas de comentários, cartões de contato, páginas de equipe e integração — mostrando um avatar real a partir de apenas um e-mail. Uma consulta Gravatar — distinta da geração determinística de avatar/identicon (avatar), que renderiza uma nova imagem a partir de uma semente em vez de buscar o avatar que uma pessoa realmente escolheu. Sem chave upstream, sem cache.

Tempo di attività

100.0%

Latenza

406ms

Abbonati

4,061

Infer a schema or types from a sample JSON document — the fastest way to get a contract out of an example API response. Pass a JSON sample and the schema endpoint returns a JSON Schema (Draft 2020-12) with detected types, required keys, array item schemas merged across elements, and recognised string formats (email, uri, uuid, date-time, date, ipv4); the typescript endpoint returns ready-to-paste TypeScript interfaces with named nested interfaces, typed arrays, unions for mixed-shape array elements and structural de-duplication. Supply the sample inline via ?json=, as a query parameter, or as a request body. Everything is computed locally with no network calls, so it is fast and deterministic. Built for scaffolding types from real API responses, generating validation schemas, documentation, contract testing and code generation. A JSON type/schema inferer — distinct from JSON-Schema validation (jsonschema), JSON pretty-printing and conversion (json), and JSON diff/patch (jsondiff). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

73ms

Abbonati

3,988

Decode and build snowflake IDs — the 64-bit, time-sortable identifiers used by Twitter/X, Discord, Instagram and many distributed systems. Pass an ID and a platform and the service extracts the embedded creation timestamp (turn any Discord, Twitter/X or Instagram ID into the exact moment it was created) along with the machine and sequence components for that platform's epoch and bit layout. Supported platforms: twitter (X), discord, instagram, sony, and custom (supply your own epoch). The encode endpoint does the reverse: build the lower-bound snowflake for a given timestamp, so you can query "all IDs created at or after this moment" — the standard trick for time-based pagination on snowflake APIs. Everything is computed locally with exact 64-bit BigInt math and no network calls. Ideal for analytics, data forensics, API pagination and debugging distributed-ID systems. A snowflake-ID toolkit — distinct from UUID/ULID generation (uuid) and date/time math (datetime). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

79ms

Abbonati

4,287

检查域的SMTP传输安全状态 — 邮件服务器是否需要通过经过身份验证的TLS传递入站邮件，以防止降级和中间人攻击。传入一个域，服务将从mta-sts.<domain>/.well-known/mta-sts.txt获取MTA-STS策略文件（其版本、模式、允许的MX主机和max_age）、_mta-sts DNS TXT记录（其策略ID）以及_smtp._tls TLS-RPT记录（rua报告地址），然后报告MTA-STS是否实际执行以及问题的优先级列表 — 无策略文件、无DNS记录、仅“测试”模式或缺少TLS-RPT记录。第二个端点仅返回解析后的策略文件。请求在服务器端进行，私有/内部目标被拒绝（SSRF防护）。专为电子邮件可送达性和防降级攻击审计、供应商和第三方评估以及合规性而构建。MTA-STS / TLS-RPT检查器 — SMTP传输安全对应电子邮件身份验证分析器（emailsec，涵盖SPF、DKIM和DMARC），与原始DNS查找（dns）不同。无上游密钥，无缓存。

Tempo di attività

100.0%

Latenza

131ms

Abbonati

4,404

Check DNS propagation by querying a record across several major public resolvers at once — Google (8.8.8.8), Cloudflare (1.1.1.1), AdGuard and dns.sb — and seeing whether they all return the same answer. Pass a domain and a record type and the service queries every resolver in parallel and reports each resolver's answers, whether they are consistent (the change has fully propagated) or still differ (mid-propagation, stale caching or split-horizon DNS), the number of distinct answer sets and the union of all answers. Supported record types: A, AAAA, CNAME, MX, TXT, NS, SOA, SRV, CAA and PTR. A single-resolver endpoint queries one named resolver on its own, and a failing resolver is reported per-resolver without failing the whole call. Live DoH (DNS-over-HTTPS) JSON queries, always current. Built for verifying DNS changes after a migration or launch, debugging split-horizon or stale-cache issues, and uptime/propagation monitoring. A DNS propagation checker — distinct from single-resolver record lookup (dns), the email-authentication analyzer (emailsec) and WHOIS (whois). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

113ms

Abbonati

4,515

Valida la configuración de enlaces profundos móviles de un dominio: los archivos well-known que hacen que los Universal Links de iOS y los App Links de Android abran tu aplicación nativa en lugar de una pestaña del navegador. Proporciona un dominio y el servicio obtiene y valida tanto la Apple App Site Association (apple-app-site-association — los IDs de app de applinks, componentes de ruta y webcredentials) como los Android Digital Asset Links (assetlinks.json — la relación de cada declaración, nombre del paquete y huellas digitales del certificado SHA-256), verificando la ruta /.well-known/ con una fallback raíz heredada, e informa la validez por plataforma con problemas concretos: applinks faltantes, un tipo de contenido no JSON, huellas digitales de certificado faltantes o estructura malformada. Los endpoints de plataforma única verifican iOS o Android por separado. La solicitud se realiza del lado del servidor y los objetivos privados/internos son rechazados (protegido contra SSRF). Construido para la incorporación de aplicaciones móviles, depuración de enlaces universales/de aplicaciones, listas de verificación previas al lanzamiento y monitoreo continuo. Un validador de configuración de enlaces profundos — distinto de la búsqueda DNS (dns), el analizador security.txt (securitytxt) y la verificación de certificados SSL/TLS (sslcheck). Sin clave upstream, sin caché.

Tempo di attività

100.0%

Latenza

337ms

Abbonati

4,882

Inspecciona cualquier proveedor OpenID Connect / OAuth 2.0. Proporciona un emisor (un dominio, una URL de emisor o la URL de descubrimiento completa) y el servicio obtiene el documento de descubrimiento del proveedor en /.well-known/openid-configuration, analiza cada endpoint — autorización, token, userinfo, jwks, registro, cierre de sesión, introspección, revocación y autorización de dispositivo — junto con los alcances admitidos, tipos de respuesta, tipos de concesión, algoritmos de firma de token ID, métodos PKCE y claims, luego obtiene el JWKS y resume sus claves de firma (recuento, algoritmos, tipos de clave e IDs de clave), e informa una verificación de validez con cualquier problema. Un segundo endpoint obtiene y resume cualquier conjunto de claves web JSON por sí mismo. La solicitud se realiza del lado del servidor y se rechazan los destinos privados/internos (protegido contra SSRF). Construido para integración SSO y OAuth/OIDC, depuración de configuración de proveedores de identidad (Auth0, Okta, Keycloak, Azure AD, Google), revisión de seguridad y monitoreo de rotación de claves de firma. Un inspector de descubrimiento OIDC / JWKS — distinto del kit de herramientas JWT (jwt), el analizador security.txt (securitytxt) y el calificador de encabezados de seguridad HTTP (secheaders). Sin clave upstream, sin caché.

Tempo di attività

100.0%

Latenza

117ms

Abbonati

3,822

Compare and patch JSON documents to RFC standards. Pass two documents and the service returns whether they are equal, an RFC 6902 JSON Patch (the precise add/remove/replace operations that turn the first into the second, using RFC 6901 JSON-Pointer paths), a change summary, and an RFC 7386 JSON Merge Patch. The patch endpoint goes the other way: apply an RFC 6902 patch (add, remove, replace, move, copy and test operations) or an RFC 7386 merge patch to a document and get the result. Documents can be sent inline or as a JSON body. Everything is computed locally with no network calls, so it is fast and deterministic. Built for configuration and state management, API change detection, audit trails and change logs, optimistic-concurrency checks and data-sync pipelines. A JSON diff/patch engine — distinct from text diffing (textdiff), JSONPath querying (jsonpath), JSON validation and pretty-printing (json) and JSON-Schema validation (jsonschema). No upstream key, no cache.

Tempo di attività

100.0%

Latenza

92ms

Abbonati

4,983

Construye un evento iCalendar (.ics) válido según RFC 5545 a partir de parámetros simples — y obtén enlaces listos para usar "añadir al calendario" para Google, Outlook, Office 365 y Yahoo. Proporciona un título, inicio y fin (ISO 8601 o timestamps Unix, en UTC) — o una duración en minutos, o un indicador de todo el día — más ubicación opcional, descripción, URL, organizador, una recurrencia RRULE (ej. FREQ=WEEKLY) y un recordatorio (un VALARM N minutos antes). El servicio devuelve el texto .ics completamente formado con escape correcto y plegado de líneas de 75 octetos, un URI data: base64 que puedes colocar directamente en un enlace de descarga, y los cuatro enlaces profundos de calendario. Un segundo endpoint analiza texto .ics sin procesar de vuelta a eventos JSON estructurados. Todo se calcula localmente sin llamadas de red, por lo que es rápido y determinista. Construido para flujos de reserva y programación, páginas de eventos, botones de "añadir al calendario" en correos electrónicos, recordatorios y automatizaciones sin código. Un constructor de eventos de calendario — distinto de matemáticas de fecha/hora (datetime), datos de días festivos (holidays) y el calendario judío (hebcal). Sin clave upstream, sin caché.

Tempo di attività

100.0%

Latenza

82ms

Abbonati

3,836

Genera hashes de Subresource Integrity (SRI) para cualquier activo web, de modo que los navegadores puedan verificar que un script u hoja de estilo alojado en una CDN no ha sido manipulado. Pasa una URL y el servicio obtiene el activo y devuelve sus hashes SRI sha256, sha384 y sha512, el valor de integridad elegido (sha384 por defecto, o pasa tu algoritmo preferido), el tamaño y tipo de contenido del activo, y una etiqueta <script> o <link> lista para pegar con los atributos integrity y crossorigin. Un endpoint de verificación vuelve a obtener el activo y te dice si aún coincide con una cadena de integridad conocida, detectando cambios silenciosos en la CDN o manipulación en la cadena de suministro antes de que tus usuarios los encuentren. La solicitud se realiza del lado del servidor; los destinos privados e internos son rechazados (protegido contra SSRF). Construido para asegurar scripts de terceros, endurecer la cadena de suministro, pipelines de compilación y cumplimiento de CSP/SRI. Un generador y verificador de Subresource Integrity — distinto del hash criptográfico en bruto de datos de entrada (hash), el calificador de encabezados de seguridad HTTP (secheaders) y la verificación de certificados SSL/TLS (sslcheck). Sin clave upstream, sin caché.

Tempo di attività

100.0%

Latenza

102ms

Abbonati

4,297

Prioritise CVEs by real-world exploitation risk — not just severity. Combines the FIRST.org EPSS score (the probability, 0 to 1, that a CVE will be exploited in the next 30 days, with its percentile rank) and the CISA KEV catalog (vulnerabilities confirmed to be actively exploited in the wild — with the vendor, product, date added, remediation due date and whether the flaw is used in ransomware campaigns), and derives a single priority level for each CVE. Look up to 25 CVEs in one call, browse the full CISA Known Exploited Vulnerabilities catalog filtered by vendor, product or ransomware use, or list the CVEs with the highest current EPSS scores. Built for vulnerability management, patch prioritisation, risk scoring and security dashboards — answering not "how bad could this be?" but "how likely is it to actually be exploited?". A vulnerability-prioritisation layer — distinct from raw CVE details and CVSS severity (cve), password-breach checks (pwned) and the HTTP security-header grader (secheaders). Data live from FIRST.org and CISA. No upstream key, no cache.

Tempo di attività

100.0%

Latenza

126ms

Abbonati

4,379

Punktuota, cik viegli ir lasīt teksta daļu, izmantojot standarta, recenzētās lasāmības formulas — Flesch Reading Ease, Flesch-Kincaid Grade, Gunning Fog, SMOG, Coleman-Liau un Automated Readability Index. Ievadiet tekstu un saņemiet visus sešus rādītājus kopā ar pamata skaitījumiem (vārdi, teikumi, zilbes, sarežģīti un daudzzilbju vārdi, burti un rakstzīmes), vidējo klases līmeni, aptuveno lasīšanas laiku un vienkāršā angļu valodā sniegtu lasāmības interpretāciju. Otrs galapunkts skaita zilbes vārdam vai katram vārdam frāzē. Ievadiet tekstu inline ar ?text=, kā vaicājuma parametru vai pieprasījuma pamattekstā; viss tiek aprēķināts lokāli bez tīkla izsaukumiem, tāpēc tas ir ātrs un determinēts. Izveidots satura un kopēšanas rīkiem, SEO un redakcijas darbplūsmām, izglītībai un pieejamības (vienkāršās valodas) pārbaudēm, kā arī UX rakstīšanas pārskatīšanai. Lasāmības vērtētājs — atšķirīgs no sentimenta/NLP analīzes (nlp), pareizrakstības un gramatikas pārbaudes (grammar), reģistra un teksta utilītprogrammām (text) un virkņu līdzības (similarity). Nav nepieciešama augšupējā atslēga, nav kešatmiņas.

Tempo di attività

100.0%

Latenza

81ms

Abbonati

3,085

Valida e resume uma definição de API OpenAPI / Swagger. Forneça a especificação inline (?spec=), como corpo da requisição, ou buscada de uma URL (?url=, protegida contra SSRF) — em JSON ou YAML. O validador detecta a versão (Swagger 2.0, OpenAPI 3.0.x ou 3.1.x), verifica a estrutura necessária (info.title e info.version, a presença de paths/components, e as responses de cada operação), e faz lint para problemas comuns — operationIds duplicados ou ausentes, operações sem summary ou description, tags usadas mas não declaradas, e paths malformados — retornando um flag válido, contagens de paths, operações, schemas, tags e servidores, e listas separadas de erros e avisos. Um endpoint de resumo inventaria toda a API: cada endpoint com seu método, path, operationId, summary e tags, além dos servidores, tags e schemas de componentes declarados. Construído para gates de CI em contratos de API, ingestão de catálogo de APIs, pipelines de documentação e revisão de design. Um validador e linter de definição OpenAPI — distinto do validador JSON-Schema (jsonschema), dos conversores JSON/YAML/XML e das ferramentas HTML/SEO na página. Sem chave upstream, sem cache.

Tempo di attività

100.0%

Latenza

81ms

Abbonati

3,562

Inspect any domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. Pass a domain and the service looks up and validates SPF (the v=spf1 record, its all-qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, plus sp, pct and rua/ruf reporting addresses), DKIM (probing the common selectors at selector._domainkey, or pass your own), BIMI and the MX servers — then returns an A+-to-F grade with a prioritised list of issues and concrete advice. A second endpoint parses the DMARC record tag by tag with a plain-English interpretation of the policy. Built for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, security onboarding and continuous monitoring. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). Pure live DNS, no upstream key, no cache.

Tempo di attività

100.0%

Latenza

93ms

Abbonati

4,971

Recupera e analizza il file security.txt RFC 9116 di qualsiasi dominio — il file leggibile dalla macchina situato in /.well-known/security.txt che indica ai ricercatori di sicurezza come segnalare le vulnerabilità. Fornisci un dominio e il servizio localizza il file (il percorso canonico .well-known con un fallback legacy alla radice), analizza ogni campo — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring e CSAF — e segnala se è valido (ha almeno un Contact e un singolo Expires non scaduto), se è firmato PGP, se è scaduto (con il numero di giorni rimanenti) e un elenco di problemi con consigli concreti. Un endpoint complementare restituisce il file grezzo. La richiesta è eseguita lato server; i target privati e interni vengono rifiutati (protetto da SSRF). Progettato per audit di sicurezza, valutazione del rischio di fornitori e terze parti, revisioni della superficie d'attacco e controlli di conformità delle politiche di divulgazione delle vulnerabilità. Un parser e validatore di security.txt — distinto dal grader delle intestazioni di sicurezza HTTP (secheaders), dal controllo del certificato SSL/TLS (sslcheck) e dalla raggiungibilità dell'host (hostcheck). Nessuna chiave upstream, nessuna cache.

Tempo di attività

100.0%

Latenza

130ms

Abbonati

3,518