# Security Headers Checker — OWASP Audit & Grading (`accurate_pouch/security-headers`) Actor Audit 12 HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP). A-F grading, actionable recommendations. 5 URLs free. - **URL**: https://apify.com/accurate\_pouch/security-headers.md - **Developed by:** [Manchitt Sanan](https://apify.com/accurate_pouch) (community) - **Categories:** Developer tools, SEO tools - **Stats:** 1 total users, 0 monthly users, 0.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Security Headers Checker — OWASP Audit & Grading Audit 12 HTTP security headers in bulk. Get an A-F security grade per URL with weighted scoring, actionable recommendations, and webhook alerts for failing sites. 5 URLs. --- ### What it checks | Header | Weight | What it prevents | |--------|--------|-----------------| | Strict-Transport-Security (HSTS) | 15% | Downgrade attacks, SSL stripping | | Content-Security-Policy (CSP) | 15% | XSS, code injection | | X-Content-Type-Options | 10% | MIME type sniffing | | X-Frame-Options | 10% | Clickjacking | | Referrer-Policy | 10% | Information leakage | | Permissions-Policy | 10% | Unauthorized feature access (camera, mic, location) | | X-XSS-Protection | 5% | Legacy XSS filter (deprecated, CSP preferred) | | Cross-Origin-Opener-Policy | 5% | Cross-origin window attacks | | Cross-Origin-Resource-Policy | 5% | Unauthorized resource embedding | | Cross-Origin-Embedder-Policy | 5% | Spectre-class side-channel attacks | | Cache-Control | 5% | Sensitive data caching | | X-Permitted-Cross-Domain-Policies | 5% | Flash/PDF cross-domain access | --- ### Grading | Grade | Score | Meaning | |-------|-------|---------| | A+ | 95-100 | Excellent — all critical headers present and configured | | A | 85-94 | Good — minor improvements possible | | B | 70-84 | Acceptable — some headers missing | | C | 50-69 | Needs work — several security gaps | | D | 30-49 | Poor — significant exposure | | F | 0-29 | Failing — critical headers missing | --- ### Quick start ```json { "urls": ["https://google.com", "https://github.com"] } ```` *** ### Input | Field | Type | Default | Description | |-------|------|---------|-------------| | `urls` | array | *(required)* | URLs to audit | | `timeout` | integer | `10000` | Request timeout in ms | | `webhookUrl` | string | *(optional)* | POST alert when any site gets D or F grade | | `dryRun` | boolean | `false` | Audit without charges | *** ### Output ```json { "url": "https://example.com", "grade": "C", "score": 55, "headers": [ { "header": "strict-transport-security", "present": true, "value": "max-age=31536000; includeSubDomains", "status": "pass", "recommendation": "Present and correctly configured", "weight": 15 }, { "header": "content-security-policy", "present": false, "value": null, "status": "fail", "recommendation": "Add Content-Security-Policy header. Start with: default-src 'self'; script-src 'self'", "weight": 15 } ], "summary": { "passed": 5, "warnings": 3, "failed": 4, "total": 12 }, "status": "success" } ``` *** ### Pricing **$0.003 per URL checked** (pay-per-event pricing). - Errors and dry runs are never charged. - 100 URLs = $0.30 *** ### Related Tools by manchittlab - **[SSL Monitor](https://apify.com/accurate_pouch/ssl-monitor)** — Bulk SSL certificate expiry monitoring and chain validation. - **[Broken Link Checker](https://apify.com/accurate_pouch/broken-link-checker)** — Recursively crawl your website and find every broken link. - **[Lighthouse Auditor](https://apify.com/accurate_pouch/lighthouse-auditor)** — Batch Lighthouse audits for performance, SEO, and Core Web Vitals. - **[Email Validator Pro](https://apify.com/accurate_pouch/email-validator)** — Bulk email validation with SMTP check and deliverability scoring. - **[Domain Age Checker](https://apify.com/accurate_pouch/domain-age-checker)** — Bulk RDAP domain age and registration lookup. - **[Google Sheets Reader & Writer](https://apify.com/accurate_pouch/google-sheets-rw)** — Read any Google Sheet to JSON or append rows. *** ### Run on Apify [![Run on Apify](https://apify.com/static/run-on-apify.svg)](https://apify.com/accurate_pouch/security-headers) No setup needed. Click above to run in the cloud. $0.003 per operation. # Actor input Schema ## `urls` (type: `array`): List of URLs to check security headers for. ## `timeout` (type: `integer`): Timeout per HTTP request. ## `webhookUrl` (type: `string`): POST alert to this URL if any site gets a D or F grade. ## `dryRun` (type: `boolean`): Check headers but don't charge. ## Actor input object example ```json { "urls": [ "https://google.com", "https://github.com" ], "timeout": 10000, "dryRun": false } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "urls": [ "https://google.com", "https://github.com" ] }; // Run the Actor and wait for it to finish const run = await client.actor("accurate_pouch/security-headers").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "urls": [ "https://google.com", "https://github.com", ] } # Run the Actor and wait for it to finish run = client.actor("accurate_pouch/security-headers").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "urls": [ "https://google.com", "https://github.com" ] }' | apify call accurate_pouch/security-headers --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=accurate_pouch/security-headers", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Security Headers Checker — OWASP Audit & Grading", "description": "Audit 12 HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP). A-F grading, actionable recommendations. 5 URLs free.", "version": "0.1", "x-build-id": "v0Xyagf5aZ5LiJb4A" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/accurate_pouch~security-headers/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-accurate_pouch-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/accurate_pouch~security-headers/runs": { "post": { "operationId": "runs-sync-accurate_pouch-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/accurate_pouch~security-headers/run-sync": { "post": { "operationId": "run-sync-accurate_pouch-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "urls" ], "properties": { "urls": { "title": "URLs", "type": "array", "description": "List of URLs to check security headers for.", "items": { "type": "string" } }, "timeout": { "title": "Request Timeout (ms)", "minimum": 3000, "maximum": 30000, "type": "integer", "description": "Timeout per HTTP request.", "default": 10000 }, "webhookUrl": { "title": "Webhook URL (failing grades)", "type": "string", "description": "POST alert to this URL if any site gets a D or F grade." }, "dryRun": { "title": "Dry Run", "type": "boolean", "description": "Check headers but don't charge.", "default": false } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```