#web

Parse and build HTTP cookies. The parse endpoint reads a Set-Cookie header into its name, value and structured attributes — Domain, Path, Expires, Max-Age, Secure, HttpOnly, SameSite, Priority and Partitioned — or, with mode=cookie, splits a request Cookie header like "a=1; b=2; c=3" into an ordered list and a name→value map. The serialize endpoint builds a correct Set-Cookie string from simple fields, with sensible defaults (Path=/), proper date formatting for Expires, optional URL-encoding of the value, and validation of the cookie name, the date and the enum attributes — and it automatically adds Secure when SameSite=None, as browsers require. Everything is computed locally and deterministically, so it is instant and private. Ideal for web frameworks and middleware, API debugging and proxies, session and consent tooling, testing and security review. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This parses and builds cookie strings; it does not fetch a URL — to inspect a live site's response headers use a security-headers or HTTP API.

api.oanor.com/cookie-api

Every HTTP status code as an API. Look up any code (e.g. 404, 429, 503) and get its standard reason phrase, its class (1xx Informational, 2xx Success, 3xx Redirection, 4xx Client Error, 5xx Server Error), a plain-English description, the RFC that defines it, and handy flags for whether it is an error and whether it is commonly safe to retry (408, 425, 429, 500, 502, 503, 504). List every assigned code or filter by class, and enumerate the five status classes. Perfect for API clients and gateways, error pages, logging and monitoring dashboards, documentation and teaching. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 4 endpoints. Distinct from host/uptime checkers that report a live status — this is the reference dictionary of the codes themselves.

api.oanor.com/httpstatus-api

Fetch and evaluate any publisher's ads.txt / app-ads.txt — the IAB authorized-digital-sellers standard. Pass a domain and the check endpoint fetches its ads.txt server-side, then returns every seller record parsed into its fields — advertising system, the publisher's seller/account id, the DIRECT or RESELLER relationship and the optional certification-authority id (TAG-ID) — alongside counts (direct, reseller, distinct ad systems) and the declared variables OWNERDOMAIN, MANAGERDOMAIN, CONTACT and SUBDOMAINS. The verify endpoint answers the one question programmatic-advertising integrations actually ask: is this advertising system, with this publisher id, authorized to sell this domain's inventory? — returning an authorized boolean and the matching records. A missing file is reported as found:false (not an error), and soft-404 HTML pages are detected and rejected so you never parse a "page not found" as records. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for ad-tech supply-chain verification, SSP/DSP onboarding checks, anti-fraud and inventory audits. An ads.txt seller-authorization checker — distinct from the security-contact file reader (securitytxt), the robots.txt crawlability evaluator (robots) and the sitemap parser (sitemap). No upstream key, no cache.

api.oanor.com/adstxt-api

Fetch and parse an XML sitemap (the sitemaps.org protocol). Pass a sitemap URL and the parse endpoint fetches it — following redirects and transparently gunzipping .gz sitemaps — and returns its type: a urlset with every URL and its lastmod, changefreq and priority, or a sitemapindex listing the child sitemaps, with offset/limit paging for large files. The urls endpoint goes further: when the sitemap is an index it fetches the child sitemaps too and flattens every page URL into a single list, with a configurable cap on URLs and child sitemaps and a truncated flag so you stay in control. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, building crawl queues and content inventories, change monitoring and migration checks. A sitemap fetcher and parser — distinct from generic XML-to-JSON conversion (xml), the robots.txt evaluator (robots) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/sitemap-api

Fetch and evaluate any website's robots.txt. Pass a URL and a user-agent and the check endpoint tells you whether that URL is crawlable — selecting the most-specific user-agent group and applying the RFC 9309 longest-match Allow/Disallow rules (with * and $ wildcards, where Allow wins ties), and returning the matched rule, the group's crawl-delay and the sitemaps the site declares. The parse endpoint returns the whole file structured into per-user-agent groups (their allow and disallow lists and crawl-delay) plus the list of sitemaps. A missing robots.txt (404/403) means everything is allowed, exactly as the spec requires. The request is made server-side and private or internal targets are refused (SSRF-guarded). Built for SEO audits, crawler and scraper compliance, sitemap discovery and pre-flight "am I allowed to fetch this?" checks. A robots.txt evaluator — distinct from the on-page SEO audit (seo), the XML toolkit (xml) and link unfurling/preview (url). No upstream key, no cache.

api.oanor.com/robots-api

Generate Subresource Integrity (SRI) hashes for any web asset, so browsers can verify that a CDN-hosted script or stylesheet has not been tampered with. Pass a URL and the service fetches the asset and returns its sha256, sha384 and sha512 SRI hashes, the chosen integrity value (sha384 by default, or pass your preferred algorithm), the asset's size and content type, and a ready-to-paste <script> or <link> tag complete with the integrity and crossorigin attributes. A verify endpoint re-fetches the asset and tells you whether it still matches a known integrity string — catching silent CDN changes or supply-chain tampering before your users hit them. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for securing third-party scripts, supply-chain hardening, build pipelines and CSP/SRI compliance. A Subresource Integrity generator and verifier — distinct from raw cryptographic hashing of input data (hash), the HTTP security-header grader (secheaders) and the SSL/TLS certificate check (sslcheck). No upstream key, no cache.

api.oanor.com/sri-api

Fetch and parse any domain's RFC 9116 security.txt — the machine-readable file at /.well-known/security.txt that tells security researchers how to report vulnerabilities. Pass a domain and the service locates the file (the canonical .well-known path with a legacy root fallback), parses every field — Contact, Expires, Encryption, Acknowledgments, Preferred-Languages, Canonical, Policy, Hiring and CSAF — and reports whether it is valid (has at least one Contact and a single, non-expired Expires), whether it is PGP-signed, whether it has expired (with the number of days remaining) and a list of issues with concrete advice. A companion endpoint returns the raw file. The request is made server-side; private and internal targets are refused (SSRF-guarded). Built for security audits, vendor and third-party risk assessment, attack-surface reviews and vulnerability-disclosure-policy compliance checks. A security.txt parser and validator — distinct from the HTTP security-header grader (secheaders), the SSL/TLS certificate check (sslcheck) and host reachability (hostcheck). No upstream key, no cache.

api.oanor.com/securitytxt-api

Fetch any URL and analyse its HTTP response security headers — grading the site A+ to F the way securityheaders.com and Mozilla Observatory do. Pass a URL and the service makes the request server-side (following redirects), then reports which protective headers are present, which are missing (with concrete remediation advice) and which response headers leak information. Graded headers include Strict-Transport-Security (HSTS), Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy and Cross-Origin-Opener-Policy; information-leak headers include Server and X-Powered-By. A companion endpoint returns every raw response header. Private and internal targets are refused (SSRF-guarded). Built for security audits, CI/CD security gates, attack-surface reviews and compliance checks. A security-header grader — distinct from the SSL/TLS certificate check (sslcheck), host reachability (hostcheck), the IANA HTTP status-code reference (http) and the on-page SEO audit (seo). No upstream key, no cache.

api.oanor.com/secheaders-api

The official WordPress.org plugin and theme directory as an API — the registry behind the ~40% of the web that runs on WordPress. Look up any plugin or theme by its slug for its name, version, author, user rating and rating count, active-install count and total downloads, the WordPress and PHP versions it requires, last-updated date, homepage, support URL and direct download link; and search the directory by keyword (plugins or themes), with results ranked by active installs. Covers the 60,000+ free plugins and 13,000+ themes on WordPress.org, from WooCommerce, Yoast SEO and Elementor to Contact Form 7 and Jetpack. Live from the official api.wordpress.org. Ideal for WordPress dashboards and site managers, plugin/theme catalogs, compatibility and update tooling, and the WordPress developer ecosystem. Open data from WordPress.org.

api.oanor.com/wordpress-api