Mercury · Cited Headers
GET /buy/headers
What it does
URL → a deterministic HTTP security-headers audit (HSTS, CSP, X-Frame, X-Content-Type, Referrer-Policy, Permissions-Policy + more) with a letter grade and concrete findings, wrapped in a signed, offline-verifiable provenance receipt. Keyless, no LLM, no signup.
The goal it serves: create provable point-in-time evidence — “it was up / it changed / it answered like this at time T” — for SLAs, change tracking and tamper-evident audit trails.
Schemas & output preview
Input schema — the exact request shape the route validates.
{
"type": "object",
"properties": {
"url": {
"type": "string",
"maxLength": 2048,
"description": "the page/endpoint to audit (http/https)"
}
},
"required": [
"url"
],
"additionalProperties": false
}Output schema — the exact response shape the handler returns.
{
"type": "object",
"properties": {
"ok": {
"type": "boolean",
"description": "true on success; false on an honest failure (never charged for a stub)"
},
"url": {
"type": "string",
"description": "final URL after redirects"
},
"status": {
"type": "integer",
"description": "upstream HTTP status of the audited response"
},
"text": {
"type": "string",
"description": "canonical sorted-key JSON of `data` — the exact string the receipt signs over"
},
"fetchedAt": {
"type": "string",
"description": "ISO-8601 fetch time (provenance metadata)"
},
"data": {
"type": "object",
"description": "the deterministic security-headers verdict",
"properties": {
"grade": {
"type": "string",
"enum": [
"A",
"B",
"C",
"D",
"E",
"F"
]
},
"score": {
"type": "integer"
},
"maxScore": {
"type": "integer"
},
"percentage": {
"type": "integer"
},
"passed": {
"type": "integer"
},
"failed": {
"type": "integer"
},
"checks": {
"type": "array",
"items": {
"type": "object",
"properties": {
"header": {
"type": "string"
},
"label": {
"type": "string"
},
"present": {
"type": "boolean"
},
"pass": {
"type": "boolean"
},
"weight": {
"type": "integer"
},
"value": {
"type": [
"string",
"null"
]
},
"note": {
"type": "string"
}
}
}
},
"findings": {
"type": "array",
"items": {
"type": "object",
"properties": {
"header": {
"type": "string"
},
"severity": {
"type": "string",
"enum": [
"high",
"medium",
"low"
]
},
"remediate": {
"type": "string"
}
}
}
},
"serverBanner": {
"type": [
"string",
"null"
]
},
"rubric": {
"type": "string"
}
}
},
"error": {
"type": "string",
"description": "present only when ok:false"
}
},
"required": [
"ok",
"url"
],
"additionalProperties": true
}Output preview — a real example response, shown free (you only pay when you call the route).
{
"ok": true,
"url": "https://example.com/",
"status": 200,
"text": "{\"checks\":[…],\"failed\":7,\"findings\":[…],\"grade\":\"F\",\"maxScore\":100,\"passed\":1,\"percentage\":10,\"rubric\":\"mercury-cited-headers-v1\",\"score\":10,\"serverBanner\":null}",
"fetchedAt": "2026-06-04T00:00:00.000Z",
"data": {
"grade": "F",
"score": 10,
"maxScore": 100,
"percentage": 10,
"passed": 1,
"failed": 7,
"checks": [
{
"header": "strict-transport-security",
"label": "HSTS",
"present": false,
"pass": false,
"weight": 20,
"value": null,
"note": "absent"
},
{
"header": "x-content-type-options",
"label": "X-Content-Type-Options",
"present": true,
"pass": true,
"weight": 10,
"value": "nosniff",
"note": "nosniff"
}
],
"findings": [
{
"header": "strict-transport-security",
"severity": "high",
"remediate": "Add `Strict-Transport-Security: max-age=31536000; includeSubDomains` to force HTTPS."
}
],
"serverBanner": null,
"rubric": "mercury-cited-headers-v1"
}
}Pay & call
Your agent calls the route; the 402 challenge carries the exact price ($0.005, USDC on Base mainnet); the x402 client settles via the CDP facilitator and retries. No key, no signup.
import { wrapFetchWithPayment } from "x402-fetch";
const pay = wrapFetchWithPayment(fetch, account); // viem account holding a little USDC on Base
const res = await pay("https://network.mercury-hq.com/buy/headers?url=https://example.com");
const out = await res.json(); // the result + `attestation` (the signed receipt)Prepaid alternative — the same route accepts an API key:
# Same route, prepaid API-key rail (Bearer mk_live_…) — get a key at https://network.mercury-hq.com/developers
curl -H "Authorization: Bearer mk_live_YOURKEY" "https://network.mercury-hq.com/buy/headers?url=https://example.com"Verify the receipt
Recover the EIP-191 signature over sha256(content)‖url‖status‖fetchedAt‖nonce and confirm the signer equals the pinned attestation key 0xACB40253BD71Bb9a5d491b2c6EFF755F2A33Fc75 (published at /.well-known/mercury-attestation). No callback to Mercury — the receipt verifies offline, forever. Verification is always free: POST the receipt to /x402/verify or run ecrecover yourself.
| Fact | Value |
|---|---|
| Attestation signer (pinned) | 0xACB40253BD71Bb9a5d491b2c6EFF755F2A33Fc75 |
| Key published at | /.well-known/mercury-attestation |
| Live verifier (free) | /x402/verify |
| Settlement | real USDC on Base mainnet (eip155:8453) via CDP — auditable on BaseScan |
Related
Cited Availability
$0.005Cited Redirect
$0.005More: all services · /catalog · the headline web-fetch · agent twin of this page: GET /university/docs/cited-headers?format=md