The Scan a Website API (POST /virus/scan/website) fetches the content at a
URL you provide and scans it for malware, phishing, and other threats. By
default it retrieves the target URL with a standard HTTP GET request.

Some endpoints you want to scan require more than a plain GET — for example, a
specific HTTP method, an authorization token, a tenant/routing header, or a
content-negotiation header. This feature lets you supply that outbound HTTP
method and any additional outbound headers directly on your request to the
Scan Website API, and Cloudmersive applies them to the outbound fetch.

Availability

• This feature is disabled by default and must be turned on by your
  administrator before it will take effect.
• It is available only on Cloudmersive Managed Instance and Private Cloud
  deployments. It is not available on the public multi-tenant API.
• When the feature is off, the API behaves exactly as it always has: the
  outbound fetch is a plain GET, and the headers described below are ignored.

How it works

When the feature is enabled, your administrator also configures an allow-list
of permitted outbound domains. The custom method and headers are applied
only when the host of the URL you are scanning is on that allow-list. This
protects against misdirecting credentials or unusual requests to unintended
hosts.

You control the outbound request by adding special headers to your call to the
Scan Website API:

• X-Cloudmersive-Outbound-Method — sets the HTTP method used to fetch the
  target URL.
• X-Cloudmersive-Outbound-Header-<Name> — adds an outbound header named
  <Name> with the value you provide. You can include as many of these as you
  need.

If the feature is not enabled, or the target URL's host is not on the
administrator's allow-list, these headers are simply ignored and the fetch is a
normal GET.

Setting the outbound method

Send the X-Cloudmersive-Outbound-Method header with one of the following
values (case-insensitive):

GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS

If the header is absent or the value is not one of the above, the outbound fetch
uses GET.

Adding outbound headers

For each header you want on the outbound fetch, send an inbound header whose name
is X-Cloudmersive-Outbound-Header- followed by the outbound header name.
Cloudmersive strips the X-Cloudmersive-Outbound-Header- prefix and forwards the
remainder as-is.

For example, to send an outbound header Authorization: Bearer abc123, include
this header on your request:

X-Cloudmersive-Outbound-Header-Authorization: Bearer abc123

To send an outbound header foo: bar, include:

X-Cloudmersive-Outbound-Header-foo: bar

A few header names are reserved for connection handling and are not
forwarded even if you specify them: Host, Content-Length, Connection, and
Transfer-Encoding.

Example request

Scanning https://api.bls.gov/... with a POST method and two custom outbound
headers:

POST /virus/scan/website HTTP/1.1
Host: <your-managed-instance-or-private-cloud-host>
Apikey: <your-api-key>
Content-Type: application/json
X-Cloudmersive-Outbound-Method: POST
X-Cloudmersive-Outbound-Header-Authorization: Bearer abc123
X-Cloudmersive-Outbound-Header-X-Tenant: contoso

{
  "Url": "https://api.bls.gov/..."
}

If api.bls.gov is on the administrator's allow-list, Cloudmersive fetches the
URL with an HTTP POST, including the headers Authorization: Bearer abc123 and
X-Tenant: contoso, then scans the response content and returns the usual
website scan result.