Zum Inhalt springen
POST AI agent ready /v1/ssl-cert/certificate

SSL Certificate API - HTTPS Reachability & Security Headers

Makes an HTTPS GET to the target domain with a 10-second timeout, following redirects. Returns https_reachable, status_code, a map of security-relevant response headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cache-Control, Server, X-Powered-By), and four boolean flags summarizing HSTS/CSP/X-Frame-Options/X-Content-Type-Options presence.

Parameters

stringrequired

Domain to probe over HTTPS (e.g., "github.com"). No scheme needed.

Code examples

curl -X POST https://api.botoi.com/v1/ssl-cert/certificate \
  -H "Content-Type: application/json" \
  -d '{"domain":"github.com"}'

When to use this API

Continuous security-header monitoring

Poll every production domain nightly and store the security_headers object. Alert on regressions, such as a site that had HSTS yesterday but returns hsts: false today. Catches accidental config drift early.

Vendor security due diligence

Before onboarding a new SaaS vendor, call this endpoint on their public URLs. A missing HSTS or CSP is an immediate red flag to raise in the security review.

Pre-deploy gate in CI

Fail the deploy if staging returns hsts: false or csp: false. Pair with unit tests to keep your security posture aligned with the headers your ops team defined.

Frequently asked questions

Does this endpoint parse the X.509 certificate chain?
No. Cloudflare Workers cannot expose raw TLS certificate bytes. For cert chain details (issuer, validity dates, days remaining) use /v1/ssl-cert/expiry, which queries Certificate Transparency logs.
What happens when the domain is not reachable over HTTPS?
The endpoint returns https_reachable: false with status_code 0 and empty header maps. No error is raised, so batch jobs can inspect the flag and continue.
Does the endpoint follow redirects?
Yes. Redirects are followed up to the standard fetch limit. The reported status_code and header set reflect the final response, so a 301 from http to https to www will surface the www response.
Which security headers are inspected?
Strict-Transport-Security, Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cache-Control, Server, and X-Powered-By. The boolean flags summarize the four most impactful ones for quick scoring.

Get your API key

Free tier includes 5 requests per minute with no credit card required. Upgrade for higher limits.

Sign up free View full docs