#security

Live on-chain data for Shentu (chain id shentu-2.2) — the security-focused Cosmos-SDK Layer-1 of the CertiK ecosystem, whose native token is CTK — served directly from public LCD/REST nodes with multi-node failover. The status endpoint returns the latest block height and time, chain id, the staking bond denom and the current minting inflation rate. The validators endpoint lists the active bonded validator set ranked by stake, each with its moniker, operator address, self-plus-delegated CTK, commission rate and jailed flag. The supply endpoint returns the total CTK supply, the amount bonded in staking and the resulting bonded ratio. The governance endpoint returns the most recent on-chain proposals with their id, title, status and voting window. Token amounts are converted from base micro-CTK (6 decimals) into whole CTK, and every figure is read live from the chain — nothing bundled or modelled — behind a short server-side cache with keep-warm so the feed stays fast and fresh. Ideal for staking dashboards, validator and delegator tooling, explorers, governance trackers and portfolio or analytics apps across the Cosmos and security-infrastructure ecosystem. Live keyless upstream. 5 endpoints.

api.oanor.com/shentu-api

Überprüfen Sie live bereitgestellte Solana-Programme über öffentliche Solana RPC — ohne API-Key — und beantworten Sie die für die Sicherheit wichtigste Frage: Kann dieses Programm noch geändert werden, und von wem? Für jede Programm-Adresse wird der verwendete Loader, ob es ausführbar ist, das On-Chain-ProgramData-Konto, die Upgrade-Autorität (oder dass es unveränderlich / eingefroren wurde) und der Slot der letzten Bereitstellung aufgelöst. Ein Batch-Endpunkt prüft bis zu zwölf Programme gleichzeitig — perfekt, um die Upgrade-Autorität jedes Programms zu überprüfen, von dem ein Protokoll abhängt, bevor Sie ihm vertrauen — und ein Loaders-Endpunkt dokumentiert Solanas Program Loader. Abgegrenzt von Balance-, Token- und Transaktions-APIs: Dies ist die Programm- und Upgrade-Autoritäts-Ebene, auf die Auditoren, Wallets und Sicherheitstools vertrauen, um zu beurteilen, ob ein Solana-Programm sicher ist. Live von der Chain; nur kurzer Cache.

api.oanor.com/solanaprogram-api

Ermitteln Sie, ob eine Domain eine bekannte Crypto-Phishing- oder Betrugsseite ist, bevor eine Wallet oder ein Benutzer eine Verbindung herstellt – unter Verwendung der kanonischen eth-phishing-detect-Blocklist von MetaMask, derselben Liste, die Millionen von MetaMask-Benutzern schützt, schlüssellos und live. Sie führt die echte Erkennungslogik aus: einen exakten und Subdomain-Abgleich gegen die Blocklist und Allowlist, plus einen Levenshtein-Fuzzy-Abgleich gegen hochwertige Lookalike-Ziele, um Typosquats wie "myetherwaliet.com" oder "app-wallet-uniswap.org" zu erkennen. Überprüfen Sie eine Domain oder URL auf ein Urteil (blockiert, erlaubt, fuzzy oder unbekannt) mit dem Grund, durchsuchen Sie die 190.000 Einträge umfassende Blocklist oder lesen Sie deren Statistiken. Die dApp-Verbindungssicherheitsebene, die jede Wallet, Browsererweiterung, Telegram-Bot und jedes Sicherheitstool benötigt, um Benutzer zu warnen, bevor sie signieren. Live, leicht gecached.

api.oanor.com/phishingcheck-api

Lesen Sie den rohen EVM-Speicher jedes Smart Contracts live über das öffentliche JSON-RPC der Chain, decodieren Sie jedes 32-Byte-Wort als Adresse, uint oder bool und lösen Sie Proxy-Implementierungszeiger über alle gängigen Proxy-Standards auf — EIP-1967, EIP-1822/UUPS und die Legacy-OpenZeppelin/zeppelinos-Slots sowie Beacon-Proxies. So finden Sie heraus, worauf ein Proxy tatsächlich zeigt, wer sein Admin ist oder was ein Vertrag speichert — selbst für nicht verifizierte Verträge, bei denen Quellcode und ABI nicht verfügbar sind. Geben Sie eine Chain und eine Adresse an: Lesen Sie einen Slot, scannen Sie die ersten N Slots, um einen Blick auf das State-Layout zu werfen, oder lösen Sie automatisch die Proxy-Implementierung auf. Die On-Chain-State-Inspektionsebene für Auditoren, Upgrade-Monitore und Sicherheitstools, über Ethereum, Base, Arbitrum, Optimism, BNB, Polygon und mehr. Live, nur kurzer Cache.

api.oanor.com/storageslot-api

Fetch any smart contract's deployed EVM bytecode live from the chain's public JSON-RPC, disassemble it into human-readable opcodes, and extract the 4-byte function selectors from its dispatcher. Unlike source-verification or 4-byte directories, this works on ANY deployed contract — verified or not — so it reveals the raw on-chain logic of contracts nobody has published source for. Give it a chain and an address and get the runtime bytecode, a full offset-by-offset opcode disassembly (paged), and the detected function selectors. The reverse-engineering layer for auditors, MEV searchers and security tooling. Reads straight from the chain across Ethereum, Base, Arbitrum, Optimism, BNB, Polygon and more. Live, short cache only.

api.oanor.com/bytecode-api

Überprüfen Sie jedes Safe (ehemals Gnosis Safe) Multisig-Smart-Wallet, schlüssellos. Für jede Safe-Adresse auf jeder unterstützten Chain gibt es die Multisig-Konfiguration zurück – die Owner-Signer, die Signaturschwelle (das M-of-N), den aktuellen Nonce, die aktivierten Module, Guard und Vertragsversion – sowie die Safe-Token-Balances (native + ERC-20, mit Symbolen und Beträgen). Die Multisig-Inspektionsebene für DAO-Tresore, Sicherheit, Due-Diligence, Wallet- und Dashboard-Tooling. Live, nichts gespeichert. Unterstützt durch den offenen Safe Transaction Service.

api.oanor.com/safe-api

Prüfen Sie, ob der Quellcode eines EVM-Smart-Contracts verifiziert ist, und rufen Sie dessen ABI, Quelldateien und Bereitstellungsdetails ab, keyless. Geben Sie eine Chain-ID und eine Contract-Adresse an und erhalten Sie den Verifizierungsstatus (vollständig / teilweise / nicht verifiziert), den Compiler und Contract-Namen, die Bereitstellungsinformationen (Deployer, Transaktion, Block), das Contract-ABI (das JSON-Interface, das jede Integration benötigt) und den verifizierten Solidity-Quellcode. Live, nichts wird gespeichert. Die Contract-Verification / ABI-Schicht für Sicherheit, Due-Diligence, Block-Explorer, Wallet- und Dapp-Tooling – unterstützt durch das offene Sourcify-Registry, abgegrenzt von Preis-, TVL- und Chain-Registry-APIs.

api.oanor.com/contractverify-api

Live-Audit der Token-Approvals (Allowances), die eine Krypto-Wallet erteilt hat, und des Risikos der Verträge, die sie zum Ausgeben ihrer Token autorisiert hat – betrieben durch die öffentlichen GoPlus Security-Daten, kein API-Key, nichts wird gespeichert. Token-Approvals sind der häufigste Weg, wie Wallets geleert werden: Sobald Sie einen Vertrag autorisieren, einen Token zu bewegen, kann ein böswilliger oder kompromittierter Spender ihn jederzeit nehmen. Dies ist die Allowance-Hygiene-Schicht – die Daten hinter Tools wie revoke.cash. Der Approvals-Endpunkt listet jeden Token auf, den eine Wallet autorisiert hat, wen sie autorisiert hat (den Spender-Vertrag), wie viel und wann autorisiert wurde, und ob dieser Spender als böswillig, vertrauenswürdig oder unverifiziert markiert ist, zusammen mit einer Risikozusammenfassung, die die gefährlichen zu widerrufenden Approvals zählt. Der Contract-Endpunkt profiliert einen einzelnen Spender-Vertrag, bevor Sie ihn autorisieren – seinen Namen, ob er Open-Source ist, seinen Ersteller, Bereitstellungszeitpunkt und Risiko-Tags. Der Chains-Endpunkt listet die über 40 unterstützten Blockchains auf. Fangen Sie Wallet-leerende Allowances ab, bevor sie einen Benutzer alles kosten. Dies ist der Approval/Allowance-Risiko-Cut – unterschieden von den Token-Contract-Security-, Scam-Detection- und On-Chain-APIs im Katalog.

api.oanor.com/approvalsecurity-api

Live crypto scam, phishing and dApp-safety checks for the things a user actually clicks or buys — the consumer-protection layer, powered by the public GoPlus Security data, no key, nothing stored. Before you connect a wallet to a website, sign a transaction or mint an NFT, ask whether it is safe. The phishing endpoint checks whether a URL is a known crypto phishing site. The dapp endpoint returns a decentralized app's audit and trust status — its project name, whether it has been audited, whether GoPlus lists it as a trusted project, and the audit firms and dates. The nft endpoint scans an NFT collection contract for risk — whether it is verified or a fake, open-source or a proxy, whether the owner can mint, burn or move tokens without approval, whether the metadata is frozen, plus its item, holder and 24-hour trading-volume figures. Stop phishing sites, fake NFT collections and unaudited dApps before they cost a user their funds. This is the website / dApp / NFT scam-detection cut — distinct from the token-contract-and-wallet security, the historical-exploit database and the price APIs in the catalogue.

api.oanor.com/scamcheck-api

Live-Smart-Contract-Risiko- und Sicherheitsanalyse für Krypto-Token und Wallet-Adressen – die On-Chain-Due-Diligence-Prüfung, die Sie durchführen sollten, bevor Sie einen Token kaufen oder mit einer Adresse interagieren, unterstützt durch die öffentlichen GoPlus Security-Daten, kein API-Key, nichts wird gespeichert. Der Token-Endpunkt scannt einen ERC-20-ähnlichen Vertrag auf jeder unterstützten Chain und gibt zurück, ob es sich um einen Honeypot handelt, die Kauf- und Verkaufssteuer, ob er mintbar ist oder einen versteckten oder privilegierten Besitzer hat, der den Handel pausieren oder das Eigentum zurücknehmen kann, ob er Open-Source oder ein Proxy ist, sowie die Anzahl der Inhaber und LP-Inhaber. Der Adress-Endpunkt prüft eine Wallet-Adresse auf zwanzig Risikosignale – Cyberkriminalität, Geldwäsche, Phishing, Sanktionen, Diebstahlangriffe, Honeypot-bezogene Adressen und mehr – und meldet genau, welche, falls vorhanden, markiert sind. Der Chains-Endpunkt listet die 40+ unterstützten Blockchains auf. Fangen Sie Betrugs-Token, Honeypots und kontaminierte Adressen ab, bevor sie Sie etwas kosten. Dies ist die Echtzeit-Vertragssicherheits- und Risikoprüfung von Krypto – abgegrenzt von der historischen Exploit-Datenbank, der Preis- und den On-Chain-APIs im Katalog.

api.oanor.com/tokensecurity-api

Eine Live-Datenbank von Kryptowährungs- und DeFi-Hacks, Exploits und Diebstählen – jeder größere On-Chain-Diebstahl, der aufgezeichnet wurde, betrieben durch den öffentlichen DeFiLlama-Hacks-Datensatz, kein API-Key, nichts gespeichert. Jeder Vorfall enthält das Opfer, den gestohlenen Betrag in US-Dollar, das Datum, die Angriffstechnik (Flash-Loan-Oracle-Manipulation, Reentrancy, Kompromittierung privater Schlüssel, Access-Control-Exploit und mehr), eine übergeordnete Klassifizierung, die beteiligte(n) Chain(s), den Zieltyp (DeFi-Protokoll, zentralisierte Börse, Bridge, Wallet, Token) und wie viel, falls vorhanden, später zurückgegeben wurde. Der Hacks-Endpunkt gibt die Vorfallsliste neueste zuerst zurück, filterbar nach Chain, Technik, Zieltyp, Klassifizierung, Jahr und Mindestverlust. Der Biggest-Endpunkt ordnet die größten Exploits aller Zeiten nach gestohlenen Dollar – von den milliardenschweren Bridge- und Börsenverstößen abwärts. Der Stats-Endpunkt aggregiert den gesamten Datensatz: insgesamt gestohlen, Anzahl der Vorfälle, zurückgegebene Gelder und Aufschlüsselungen nach Angriffstechnik, Chain, Zieltyp und Jahr. Dies ist der Krypto-Sicherheits- und Exploit-Verlaufsschnitt – Risiko- und Post-Mortem-Daten, die sich von den Preis-, Markt-, TVL-, Gebühren- und On-Chain-APIs im Katalog unterscheiden.

api.oanor.com/cryptohacks-api

Birthday-paradox and collision-probability maths as an API, computed locally and deterministically. The probability endpoint computes the chance that at least two of n people share a birthday among d equally likely days, P = 1 − Π(1 − i/d), evaluated in log space for accuracy — the famous result that just 23 people give about a 50.7 % chance, 50 people about 97 % and 70 people about 99.9 %. The people-needed endpoint inverts it: the smallest group size to reach a target probability (23 for 50 %, 57 for 99 %), with the √(2·d·ln(1/(1−p))) approximation. The collision endpoint generalises the birthday bound to any space — pass a number of buckets or a hash size in bits — and returns the collision probability P ≈ 1 − e^(−n²/2d), the rule behind hash collisions and UUID-uniqueness estimates, where a 50 % chance needs roughly 1.177·√d items. Days and buckets default to 365. Everything is computed locally and deterministically, so it is instant and private. Ideal for probability-education, security, cryptography, hashing, data-engineering and statistics app developers, collision-risk and birthday-problem tools, and teaching material. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This is the birthday/collision probability; for full distributions use a probability API.

api.oanor.com/birthdayparadox-api

Construye encabezados de respuesta CORS correctos y evalúa solicitudes preflight — sin tener que releer la especificación cada vez. El endpoint de encabezados convierte una política simple (orígenes permitidos, métodos, encabezados de solicitud, si se permiten credenciales, una edad máxima de preflight y cualquier encabezado de respuesta expuesto) en el conjunto exacto de encabezados Access-Control-* a devolver, y maneja las partes que la gente suele equivocar: no se puede combinar un origen comodín con credenciales, por lo que refleja el origen de solicitud específico y agrega Vary: Origin; omite el encabezado allow-origin cuando un origen no está en su lista; y advierte cuando una configuración no se comportaría como se espera. El endpoint de verificación toma una solicitud entrante — su Origin, el método (solicitado) y Access-Control-Request-Headers — y le indica si pasaría CORS, la razón precisa si falla, y los encabezados de respuesta que debe enviar. Todo se calcula local y determinísticamente, por lo que es instantáneo y privado. Ideal para puertas de enlace API y backends, funciones edge y serverless, depuración de errores CORS del navegador y obtener una política de seguridad exacta. Cálculo puramente local — sin clave, sin servicio de terceros, instantáneo. En vivo, nada almacenado. 3 endpoints. Esto construye y verifica los encabezados; no realiza una solicitud de origen cruzado — para inspeccionar los encabezados de seguridad de un sitio en vivo, use una API de encabezados de seguridad.

api.oanor.com/cors-api

Detect and redact personally identifiable information (PII) in free text. It finds email addresses, phone numbers, credit-card numbers (Luhn-validated to cut false positives), IPv4 and IPv6 addresses, US Social Security numbers and IBANs, and masks each one — with a per-type label like [EMAIL], a fixed replacement string, or a single character repeated to the original length. A detect endpoint returns every match with its type and position without changing the text. Perfect for scrubbing logs and support transcripts, sanitising data before sharing or sending to a third party, and privacy and compliance pre-checks. Pure local computation — text never leaves the server, no key, no third party, instant; up to 200,000 characters via POST. Live, nothing stored. 3 endpoints. Regex-based and best-effort — review before relying on it for legal compliance. Distinct from sentiment, profanity and general text tooling.

api.oanor.com/redact-api

Escape a string so it is safe to drop into a specific context. Pick a target — a regular expression (so the text matches literally), a shell command (POSIX single-quote wrapping), a JSON string, a CSV field (RFC 4180 quoting) or a SQL string literal — and get back the correctly escaped value, plus a short note on the rule applied. The contexts endpoint lists every target with a worked example. Perfect for code generation, building commands and queries, templating and data export, and safely interpolating user input. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. The SQL context is a quoted literal for convenience, not a replacement for parameterised queries. Distinct from base64/hex/URL/HTML-entity encoders.

api.oanor.com/escape-api

Generate cryptographic key pairs on demand — RSA (2048/3072/4096), elliptic-curve (P-256, P-384, P-521, secp256k1), Ed25519 and Ed448 — returned as PEM (SPKI public key, PKCS#8 private key) and, optionally, as JWK. Perfect for spinning up JWT/JWS signing keys, TLS and SSH experiments, test fixtures and demos. Pure local generation with Node's crypto (no third-party service). Note: for development, testing and education — generate keys for production systems offline or in an HSM, never trust a remote API with real private keys. Live, nothing stored. 3 endpoints. Distinct from JWT signing, password generation and hashing.

api.oanor.com/keypair-api

Torne HTML não confiável seguro para exibição. Envie qualquer HTML — um comentário, uma submissão de rich-text, um trecho de e-mail ou uma página raspada — e receba de volta uma versão limpa e livre de XSS: tags <script>, manipuladores de eventos inline (onclick, onerror), URLs javascript:, <iframe>, <style> e qualquer coisa que não esteja na lista de permissões são removidos. Substitua as tags e atributos permitidos para atender às suas necessidades, ou remova links completamente. Um endpoint strip retorna texto simples com toda a marcação removida. Sanitização local pura — sem chave, sem serviço de terceiros, instantâneo. Ao vivo. 3 endpoints. Construído para conteúdo gerado pelo usuário, sistemas de comentários, editores rich-text, renderização de e-mail e qualquer lugar onde HTML não confiável chegue a um navegador. Distinto de um renderizador Markdown ou de um extrator de dados HTML.

api.oanor.com/htmlsanitize-api

Detecte o tipo real de um arquivo a partir de seu conteúdo — seus bytes mágicos / assinatura binária — não pelo nome. Envie um arquivo por URL ou base64 e receba a extensão real e o tipo MIME, reconhecendo mais de 100 formatos binários: imagens (PNG, JPEG, GIF, WebP, AVIF, HEIC), áudio e vídeo (MP3, MP4, WAV, FLAC, MKV), arquivos compactados (ZIP, GZIP, 7z, RAR, TAR), documentos (PDF, DOCX, XLSX), fontes e mais. Opcionalmente, passe um nome de arquivo para sinalizar uma extensão falsificada (ex.: um PNG renomeado para .txt). Formatos de texto como TXT, CSV, JSON e SVG não têm assinatura e retornam detected=false. A detecção é local — sem chave, sem serviço de terceiros. Ao vivo, nada armazenado. 2 endpoints. Construído para validação segura de upload, verificações anti-falsificação, pipelines de conteúdo e perícia. Distinto de uma consulta de extensão para MIME.

api.oanor.com/filetype-api

检查域的SMTP传输安全状态 — 邮件服务器是否需要通过经过身份验证的TLS传递入站邮件，以防止降级和中间人攻击。传入一个域，服务将从mta-sts.<domain>/.well-known/mta-sts.txt获取MTA-STS策略文件（其版本、模式、允许的MX主机和max_age）、_mta-sts DNS TXT记录（其策略ID）以及_smtp._tls TLS-RPT记录（rua报告地址），然后报告MTA-STS是否实际执行以及问题的优先级列表 — 无策略文件、无DNS记录、仅“测试”模式或缺少TLS-RPT记录。第二个端点仅返回解析后的策略文件。请求在服务器端进行，私有/内部目标被拒绝（SSRF防护）。专为电子邮件可送达性和防降级攻击审计、供应商和第三方评估以及合规性而构建。MTA-STS / TLS-RPT检查器 — SMTP传输安全对应电子邮件身份验证分析器（emailsec，涵盖SPF、DKIM和DMARC），与原始DNS查找（dns）不同。无上游密钥，无缓存。

api.oanor.com/mtasts-api

Inspecciona cualquier proveedor OpenID Connect / OAuth 2.0. Proporciona un emisor (un dominio, una URL de emisor o la URL de descubrimiento completa) y el servicio obtiene el documento de descubrimiento del proveedor en /.well-known/openid-configuration, analiza cada endpoint — autorización, token, userinfo, jwks, registro, cierre de sesión, introspección, revocación y autorización de dispositivo — junto con los alcances admitidos, tipos de respuesta, tipos de concesión, algoritmos de firma de token ID, métodos PKCE y claims, luego obtiene el JWKS y resume sus claves de firma (recuento, algoritmos, tipos de clave e IDs de clave), e informa una verificación de validez con cualquier problema. Un segundo endpoint obtiene y resume cualquier conjunto de claves web JSON por sí mismo. La solicitud se realiza del lado del servidor y se rechazan los destinos privados/internos (protegido contra SSRF). Construido para integración SSO y OAuth/OIDC, depuración de configuración de proveedores de identidad (Auth0, Okta, Keycloak, Azure AD, Google), revisión de seguridad y monitoreo de rotación de claves de firma. Un inspector de descubrimiento OIDC / JWKS — distinto del kit de herramientas JWT (jwt), el analizador security.txt (securitytxt) y el calificador de encabezados de seguridad HTTP (secheaders). Sin clave upstream, sin caché.

api.oanor.com/oidc-api

Genera hashes de Subresource Integrity (SRI) para cualquier activo web, de modo que los navegadores puedan verificar que un script u hoja de estilo alojado en una CDN no ha sido manipulado. Pasa una URL y el servicio obtiene el activo y devuelve sus hashes SRI sha256, sha384 y sha512, el valor de integridad elegido (sha384 por defecto, o pasa tu algoritmo preferido), el tamaño y tipo de contenido del activo, y una etiqueta <script> o <link> lista para pegar con los atributos integrity y crossorigin. Un endpoint de verificación vuelve a obtener el activo y te dice si aún coincide con una cadena de integridad conocida, detectando cambios silenciosos en la CDN o manipulación en la cadena de suministro antes de que tus usuarios los encuentren. La solicitud se realiza del lado del servidor; los destinos privados e internos son rechazados (protegido contra SSRF). Construido para asegurar scripts de terceros, endurecer la cadena de suministro, pipelines de compilación y cumplimiento de CSP/SRI. Un generador y verificador de Subresource Integrity — distinto del hash criptográfico en bruto de datos de entrada (hash), el calificador de encabezados de seguridad HTTP (secheaders) y la verificación de certificados SSL/TLS (sslcheck). Sin clave upstream, sin caché.

api.oanor.com/sri-api

Prioritise CVEs by real-world exploitation risk — not just severity. Combines the FIRST.org EPSS score (the probability, 0 to 1, that a CVE will be exploited in the next 30 days, with its percentile rank) and the CISA KEV catalog (vulnerabilities confirmed to be actively exploited in the wild — with the vendor, product, date added, remediation due date and whether the flaw is used in ransomware campaigns), and derives a single priority level for each CVE. Look up to 25 CVEs in one call, browse the full CISA Known Exploited Vulnerabilities catalog filtered by vendor, product or ransomware use, or list the CVEs with the highest current EPSS scores. Built for vulnerability management, patch prioritisation, risk scoring and security dashboards — answering not "how bad could this be?" but "how likely is it to actually be exploited?". A vulnerability-prioritisation layer — distinct from raw CVE details and CVSS severity (cve), password-breach checks (pwned) and the HTTP security-header grader (secheaders). Data live from FIRST.org and CISA. No upstream key, no cache.

api.oanor.com/vulnintel-api

Inspect any domain's email-authentication posture — its protection against spoofing and phishing — via live DNS. Pass a domain and the service looks up and validates SPF (the v=spf1 record, its all-qualifier and the 10-lookup limit), DMARC (the _dmarc policy p=none/quarantine/reject, plus sp, pct and rua/ruf reporting addresses), DKIM (probing the common selectors at selector._domainkey, or pass your own), BIMI and the MX servers — then returns an A+-to-F grade with a prioritised list of issues and concrete advice. A second endpoint parses the DMARC record tag by tag with a plain-English interpretation of the policy. Built for email-deliverability and anti-spoofing audits, vendor and third-party risk assessment, security onboarding and continuous monitoring. An email-authentication analyzer — distinct from mailbox/address validation (email), raw DNS record lookup (dns) and the HTTP security-header grader (secheaders). Pure live DNS, no upstream key, no cache.

api.oanor.com/emailsec-api

Recupera e analizza il file security.txt RFC 9116 di qualsiasi dominio — il file leggibile dalla macchina situato in /.well-known/security.txt che indica ai ricercatori di sicurezza come segnalare le vulnerabilità. Fornisci un dominio e il servizio localizza il file (il percorso canonico .well-known con un fallback legacy alla radice), analizza ogni campo — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring e CSAF — e segnala se è valido (ha almeno un Contact e un singolo Expires non scaduto), se è firmato PGP, se è scaduto (con il numero di giorni rimanenti) e un elenco di problemi con consigli concreti. Un endpoint complementare restituisce il file grezzo. La richiesta è eseguita lato server; i target privati e interni vengono rifiutati (protetto da SSRF). Progettato per audit di sicurezza, valutazione del rischio di fornitori e terze parti, revisioni della superficie d'attacco e controlli di conformità delle politiche di divulgazione delle vulnerabilità. Un parser e validatore di security.txt — distinto dal grader delle intestazioni di sicurezza HTTP (secheaders), dal controllo del certificato SSL/TLS (sslcheck) e dalla raggiungibilità dell'host (hostcheck). Nessuna chiave upstream, nessuna cache.

api.oanor.com/securitytxt-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

Look up the live Tor network as an API — powered by the Tor Project's official Onionoo service and the canonical bulk exit-node list. Check whether any IPv4 or IPv6 address is a Tor relay (is_tor_relay) and whether it is an exit node that clients leave the network through (is_exit_node, corroborated against the bulk exit list), returning the full matching relay record(s): nickname, fingerprint, flags, country, autonomous system, advertised bandwidth, exit-policy summary and first/last-seen dates. Or search the public relay list by nickname, fingerprint, IP, country or flag (Exit, Guard, Fast, Stable…) with paging. Built for fraud and abuse triage, login-risk scoring, comment- and registration-filtering, and network research — knowing at a glance whether a connection originates from the Tor network. Range data is fetched live from the Tor Project, so it is always current. A Tor-network lookup — distinct from cloud/CDN attribution (cloudips), IP geolocation (ipgeo), ASN/BGP ownership (asn, ripestat) and open-port exposure (internetdb). No upstream key, no cache.

api.oanor.com/tor-api

Atribuya cualquier dirección IP al proveedor de cloud, CDN, región y servicio que la posee — a partir de las listas oficiales de intervalos IP publicadas por AWS, Google Cloud, Cloudflare, Oracle Cloud (OCI), Fastly y GitHub. Pase una dirección IPv4 o IPv6 y obtenga cada prefijo coincidente con su proveedor, región/ámbito y servicio, además de un indicador is_cloud que le dice de un vistazo si la dirección pertenece a un cloud o CDN conocido — o liste los intervalos publicados de un solo proveedor, filtrados por región, servicio y versión IP. Diseñado para listas de permitidos en cortafuegos, clasificación de abusos y fraudes, clasificación de bots y tráfico de salida, defensa contra SSRF y para saber si el tráfico entrante o saliente se origina en un cloud o CDN. Los datos de intervalos se obtienen en vivo de la lista pública canónica de cada proveedor, por lo que siempre están actualizados. Un servicio de atribución de IP de cloud/CDN — distinto de la geolocalización IP (ipgeo), la propiedad ASN/BGP (asn, ripestat), la exposición de puertos abiertos (internetdb) y los registros de protocolos/puertos IANA (netports, ipprotocols). Sin clave upstream, sin caché.

api.oanor.com/cloudips-api

Vea lo que cualquier host expone a internet — como una API sobre la InternetDB gratuita de Shodan. Proporcione una dirección IPv4/IPv6 (o un nombre de host, que se resuelve a su IP) y obtenga la superficie de ataque de ese host: los puertos abiertos (anotados con nombres de servicio comunes), los productos y tecnologías detectados en él (CPEs), sus nombres de host inversos, las etiquetas de clasificación de Shodan y las vulnerabilidades conocidas (identificadores CVE) observadas en sus servicios. Una vista dedicada de vulnerabilidades devuelve solo los CVE y si el host parece vulnerable. Es rápido, no requiere clave y está diseñado para flujos de trabajo de seguridad, descubrimiento de activos, monitoreo de superficie de ataque externa y reconocimiento. Un recurso de exposición de red / superficie de ataque — distinto de la geolocalización IP (dónde está una dirección), el registro de puertos IANA (qué significa un número de puerto) y las bases de datos CVE (qué es una vulnerabilidad). Datos de Shodan InternetDB (uso gratuito / no comercial).

api.oanor.com/internetdb-api

Check whether a password has appeared in known data breaches — as an API over Have I Been Pwned's Pwned Passwords corpus (800+ million unique compromised passwords). It uses k-anonymity: only the first 5 characters of a password's SHA-1 hash are ever sent upstream, so the password itself never leaves in full. Pass a password (hashed in memory, never stored or logged — send it via POST so it never appears in a URL/log) or a SHA-1 hash to learn whether it has been breached and how many times; or fetch a raw k-anonymity range for a 5-character hash prefix and do the matching entirely on your own side for zero password exposure. Screening sign-ups and password resets against breached-password lists is recommended by NIST 800-63b, and this makes it a one-call check. A breach / credential-security resource — distinct from password generators, cryptographic hashing and bcrypt. Open data from Have I Been Pwned (Troy Hunt), CC BY 4.0.

api.oanor.com/pwned-api

Inteligência de cadeia de suprimentos e dependências de software como uma API, alimentada por deps.dev — o serviço Google Open Source Insights. Em seis ecossistemas de pacotes (npm, PyPI, Maven, Cargo, Go e NuGet), responde às perguntas que um registro não pode: o que a instalação deste pacote realmente puxa e quão saudável é o projeto por trás dele. Liste as versões publicadas de um pacote e sua versão padrão; leia as licenças declaradas de uma versão específica, as chaves de quaisquer avisos de segurança conhecidos, links úteis (repositório de origem, página inicial, rastreador de problemas) e projetos relacionados; resolva o gráfico de dependências TRANSITIVAS completo de uma versão — a contagem total de dependências, as dependências diretas e cada nó transitivo com sua versão exata resolvida e se é uma dependência direta ou indireta; e consulte o OpenSSF Scorecard de um projeto de origem — a pontuação geral de segurança mais os resultados por verificação para Mantido, Revisão de Código, Proteção de Ramo, Fluxo de Trabalho Perigoso, Vulnerabilidades e mais — junto com suas estrelas, forks, problemas abertos, licença e página inicial. Para módulos Go e artefatos Maven, o nome do pacote é o caminho completo do módulo ou grupo:artefato (codificado em URL automaticamente). Ideal para auditoria de dependências, enriquecimento de lista de materiais de software (SBOM), avaliação de risco da cadeia de suprimentos e ferramentas de conformidade de licenças. Dados de deps.dev (Google, CC-BY).

api.oanor.com/depsdev-api

The Open Source Vulnerabilities database (OSV / osv.dev) as an API — the supply-chain security check for open-source dependencies. Scan any package version (PyPI, npm, Go, crates.io, Maven, NuGet, RubyGems, Packagist, Hex and more) and instantly learn whether it is affected by known vulnerabilities, with each advisory's severity, CVSS score, CVE aliases, CWE weakness and references; list every advisory ever published for a package; and look up a single advisory (GHSA, PYSEC, GO, RUSTSEC, CVE…) in full detail, including the affected packages and version ranges. Live from Google's official OSV.dev database, which aggregates GitHub Security Advisories, PyPA, RustSec, Go and many other sources. Ideal for dependency scanning, SBOM and supply-chain tooling, CI security gates and devsecops dashboards. Open data.

api.oanor.com/osv-api

Check any website's SSL/TLS certificate as an API. Pass a domain and the service performs a live TLS handshake and returns the certificate's subject and issuer, the validity window, the exact number of days until it expires, whether it is currently valid and trusted by a standard CA chain, the negotiated TLS protocol, serial number, SHA-256 fingerprint, key size and the full list of Subject Alternative Names (SANs). A lean expiry endpoint returns a simple ok / expiring_soon / expired status, perfect for uptime and certificate-expiry monitoring, dashboards, CI checks and security tooling. Self-contained — no third-party service. IP addresses and internal hosts are not supported.

api.oanor.com/sslcheck-api

Look up software vulnerabilities by their CVE identifier and get clean, structured details — title, description, CVSS score, severity and vector, CWE weakness types, affected vendors and products with version ranges, and reference links — plus search every CVE that affects a given vendor or product, and stream the most recently published CVEs. Sourced from the CIRCL CVE Search service over the official CVE Record 5.1 data and returned as tidy JSON through a fast, reliable API. Ideal for vulnerability management and SOC tooling, DevSecOps and SCA pipelines, security dashboards, compliance and asset-risk monitoring.

api.oanor.com/cve-api

Hash and verify passwords with bcrypt, server-side. Generate a salted bcrypt hash at a cost factor you choose (4–14), check a plaintext password against an existing hash, or inspect a hash to read its bcrypt version, cost factor and salt. Fully compatible with bcrypt hashes from PHP ($2y$), Node, Python and others, so you can verify and migrate existing credentials. Pure server-side computation with no third-party upstream, so it is always available — and it offloads the deliberately CPU-intensive hashing work from your own servers. Ideal for adding password authentication, credential migration, auth tooling, testing and no-code backends.

api.oanor.com/bcrypt-api

Agregue y pruebe la autenticación de dos factores sin lidiar con una biblioteca criptográfica. Genere un secreto base32 nuevo con un URI otpauth listo para escanear, calcule el código único basado en tiempo actual (RFC 6238), verifique un código enviado por un usuario con una ventana de deriva ajustable, o construya un URI otpauth:// para cualquier secreto. Compatible con SHA-1, SHA-256 y SHA-512, de 6 a 8 dígitos y un período personalizado, y es totalmente compatible con Google Authenticator, Authy, 1Password y otras aplicaciones de autenticación. Cálculo puro del lado del servidor sin terceros, por lo que las respuestas son instantáneas y el servicio está siempre disponible. Ideal para agregar 2FA a aplicaciones, herramientas de autenticación, control de calidad y pruebas, y automatización sin código.

api.oanor.com/totp-api

A fast, fully-local JSON Web Token toolkit: sign a JSON payload into a JWT, verify a token signature together with its exp and nbf claims using a constant-time comparison, and decode a token header and payload without verifying. Supports the HMAC algorithms HS256, HS384 and HS512, automatically adds the iat claim and an exp claim from expires_in. Built on Node crypto and secrets are never logged, so responses are instant, private and always available. Every endpoint accepts input via the query string or the request body. Ideal for authentication, API gateways, session and token tooling, microservices and webhooks.

api.oanor.com/jwt-api

Un toolkit rápido y completamente local para MIME y tipos de archivo: busque el tipo MIME, el conjunto de caracteres y la categoría de un nombre de archivo o extensión, enumere todas las extensiones de archivo registradas para un tipo MIME y detecte el tipo real de un archivo a partir de sus bytes mágicos principales (más de 40 firmas, incluida la desambiguación de contenedores RIFF para WEBP, WAV y AVI), aceptando entrada hexadecimal o base64. Cada endpoint acepta entrada a través de la cadena de consulta o el cuerpo de la solicitud. Cálculo puro del lado del servidor, sin terceros ascendentes, por lo que las respuestas son instantáneas y siempre están disponibles. Ideal para validación de carga, seguridad (verificar el tipo real de un archivo contra su extensión declarada), CDN y canalizaciones de contenido.

api.oanor.com/mime-api

A fast, fully-local password toolkit: generate cryptographically-secure random passwords (configurable length, character classes and exclude-similar), estimate password strength (entropy bits, a 0-4 score, character-class breakdown, common-password detection, an offline crack-time estimate and actionable feedback), and create memorable diceware-style passphrases. Built on Node crypto, no third-party upstream, and inputs are never logged — so responses are instant, private and always available. Ideal for signup and account flows, admin tools, password managers and security features.

api.oanor.com/password-api

Navegue e pesquise a lista oficial de procurados do FBI — fugitivos, pessoas desaparecidas, terroristas e casos de busca de informações — com acusações, advertências, recompensas, descrições físicas, escritórios de campo e fotos. Útil para notícias, segurança pública, pesquisa de segurança e aplicativos OSINT.

api.oanor.com/fbi-api

Resolve DNS records — A, AAAA, MX, NS, TXT, CNAME, SOA, SRV, CAA, PTR — for any domain, fetch all common records in a single call, or run a reverse PTR lookup for an IPv4 address. Backed by Google DNS-over-HTTPS. Ideal for devops tooling, uptime and email-deliverability checks (SPF/DKIM/DMARC), security research and domain monitoring.

api.oanor.com/dns-api