#web

Parse and build HTTP cookies. The parse endpoint reads a Set-Cookie header into its name, value and structured attributes — Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Priority and Partitioned — or, with mode=cookie, splits a request Cookie header like "a=1; b=2; c=3" into an ordered list and a name→value map. The serialize endpoint builds a correct Set-Cookie string from simple fields, with sensible defaults (Path=/), proper date formatting for Expires, optional URL-encoding of the value, and validation of the cookie name, the date and the enum attributes — and it automatically adds Secure when SameSite=None, as browsers require. Everything is computed locally and deterministically, so it is instant and private. Ideal for web frameworks and middleware, API debugging and proxies, session and consent tooling, testing and security review. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This parses and builds cookie strings; it does not fetch a URL — to inspect a live site's response headers use a security-headers or HTTP API.

api.oanor.com/cookie-api

Cada código de estado HTTP como una API. Busque cualquier código (p. ej., 404, 429, 503) y obtenga su frase de razón estándar, su clase (1xx Informativo, 2xx Éxito, 3xx Redirección, 4xx Error del Cliente, 5xx Error del Servidor), una descripción en inglés sencillo, la RFC que lo define, y banderas útiles para saber si es un error y si es comúnmente seguro reintentar (408, 425, 429, 500, 502, 503, 504). Liste cada código asignado o filtre por clase, y enumere las cinco clases de estado. Perfecto para clientes y pasarelas de API, páginas de error, paneles de registro y monitoreo, documentación y enseñanza. Cálculo puramente local — sin clave, sin servicio de terceros, instantáneo. En vivo, nada almacenado. 4 endpoints. Distinto de los verificadores de host/tiempo de actividad que reportan un estado en vivo — este es el diccionario de referencia de los códigos en sí.

api.oanor.com/httpstatus-api

Fetch and evaluate any publisher's ads.txt / app-ads.txt — the IAB authorized-digital-sellers standard. Pass a domain and the check endpoint fetches its ads.txt server-side, then returns every seller record parsed into its fields — advertising system, the publisher's seller/account id, the DIRECT or RESELLER relationship and the optional certification-authority id (TAG-ID) — alongside counts (direct, reseller, distinct ad systems) and the declared variables OWNERDOMAIN, MANAGERDOMAIN, CONTACT and SUBDOMAINS. The verify endpoint answers the one question programmatic-advertising integrations actually ask: is this advertising system, with this publisher id, authorized to sell this domain's inventory? — returning an authorized boolean and the matching records. A missing file is reported as found:false (not an error), and soft-404 HTML pages are detected and rejected so you never parse a "page not found" as records. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for ad-tech supply-chain verification, SSP/DSP onboarding checks, anti-fraud and inventory audits. An ads.txt seller-authorization checker — distinct from the security-contact file reader (securitytxt), the robots.txt crawlability evaluator (robots) and the sitemap parser (sitemap). No upstream key, no cache.

api.oanor.com/adstxt-api

Fetch and parse an XML sitemap (the sitemaps.org protocol). Pass a sitemap URL and the parse endpoint fetches it — following redirects and transparently gunzipping .gz sitemaps — and returns its type: a urlset with every URL and its lastmod, changefreq and priority, or a sitemapindex listing the child sitemaps, with offset/limit paging for large files. The urls endpoint goes further: when the sitemap is an index it fetches the child sitemaps too and flattens every page URL into a single list, with a configurable cap on URLs and child sitemaps and a truncated flag so you stay in control. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, building crawl queues and content inventories, change monitoring and migration checks. A sitemap fetcher and parser — distinct from generic XML-to-JSON conversion (xml), the robots.txt evaluator (robots) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/sitemap-api

Fetch and evaluate any website's robots.txt. Pass a URL and a user-agent and the check endpoint tells you whether that URL is crawlable — selecting the most-specific user-agent group and applying the RFC 9309 longest-match Allow/Disallow rules (with * and $ wildcards, where Allow wins ties), and returning the matched rule, the group's crawl-delay and the sitemaps the site declares. The parse endpoint returns the whole file structured into per-user-agent groups (their allow and disallow lists and crawl-delay) plus the list of sitemaps. A missing robots.txt (404/403) means everything is allowed, exactly as the spec requires. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, crawler and scraper compliance, sitemap discovery and pre-flight "am I allowed to fetch this?" checks. A robots.txt evaluator — distinct from the on-page SEO audit (seo), the XML toolkit (xml) and link unfurling/preview (url). No upstream key, no cache.

api.oanor.com/robots-api

Genera hashes de Subresource Integrity (SRI) para cualquier activo web, de modo que los navegadores puedan verificar que un script u hoja de estilo alojado en una CDN no ha sido manipulado. Pasa una URL y el servicio obtiene el activo y devuelve sus hashes SRI sha256, sha384 y sha512, el valor de integridad elegido (sha384 por defecto, o pasa tu algoritmo preferido), el tamaño y tipo de contenido del activo, y una etiqueta <script> o <link> lista para pegar con los atributos integrity y crossorigin. Un endpoint de verificación vuelve a obtener el activo y te dice si aún coincide con una cadena de integridad conocida, detectando cambios silenciosos en la CDN o manipulación en la cadena de suministro antes de que tus usuarios los encuentren. La solicitud se realiza del lado del servidor; los destinos privados e internos son rechazados (protegido contra SSRF). Construido para asegurar scripts de terceros, endurecer la cadena de suministro, pipelines de compilación y cumplimiento de CSP/SRI. Un generador y verificador de Subresource Integrity — distinto del hash criptográfico en bruto de datos de entrada (hash), el calificador de encabezados de seguridad HTTP (secheaders) y la verificación de certificados SSL/TLS (sslcheck). Sin clave upstream, sin caché.

api.oanor.com/sri-api

Recupera e analizza il file security.txt RFC 9116 di qualsiasi dominio — il file leggibile dalla macchina situato in /.well-known/security.txt che indica ai ricercatori di sicurezza come segnalare le vulnerabilità. Fornisci un dominio e il servizio localizza il file (il percorso canonico .well-known con un fallback legacy alla radice), analizza ogni campo — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring e CSAF — e segnala se è valido (ha almeno un Contact e un singolo Expires non scaduto), se è firmato PGP, se è scaduto (con il numero di giorni rimanenti) e un elenco di problemi con consigli concreti. Un endpoint complementare restituisce il file grezzo. La richiesta è eseguita lato server; i target privati e interni vengono rifiutati (protetto da SSRF). Progettato per audit di sicurezza, valutazione del rischio di fornitori e terze parti, revisioni della superficie d'attacco e controlli di conformità delle politiche di divulgazione delle vulnerabilità. Un parser e validatore di security.txt — distinto dal grader delle intestazioni di sicurezza HTTP (secheaders), dal controllo del certificato SSL/TLS (sslcheck) e dalla raggiungibilità dell'host (hostcheck). Nessuna chiave upstream, nessuna cache.

api.oanor.com/securitytxt-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

El directorio oficial de plugins y temas de WordPress.org como API — el registro detrás del ~40% de la web que funciona con WordPress. Busca cualquier plugin o tema por su slug para obtener su nombre, versión, autor, calificación de usuario y número de calificaciones, número de instalaciones activas y descargas totales, las versiones de WordPress y PHP que requiere, fecha de última actualización, página de inicio, URL de soporte y enlace de descarga directa; y busca en el directorio por palabra clave (plugins o temas), con resultados ordenados por instalaciones activas. Cubre los más de 60,000 plugins gratuitos y más de 13,000 temas en WordPress.org, desde WooCommerce, Yoast SEO y Elementor hasta Contact Form 7 y Jetpack. En vivo desde la API oficial api.wordpress.org. Ideal para paneles de WordPress y administradores de sitios, catálogos de plugins/temas, herramientas de compatibilidad y actualización, y el ecosistema de desarrolladores de WordPress. Datos abiertos de WordPress.org.

api.oanor.com/wordpress-api