Pricing

$1.00 / 1,000 url scans

Go to Apify Store

HTTP Security Headers Analyzer

Try for free

Audit HTTP response headers (CSP, HSTS, X-Frame-Options) to verify web application security and compliance standards.

Pricing

$1.00 / 1,000 url scans

Rating

0.0

(0)

Developer

Andok

Actor stats

Bookmarked

Total users

Monthly active users

19 days ago

Last modified

Security Headers Analyzer

Audit HTTP security headers against OWASP best practices across hundreds of URLs in a single run. Missing headers like HSTS, CSP, and X-Frame-Options are the most common findings in penetration tests — yet most teams only discover them after an incident. Scan your entire domain inventory in minutes with automatic grading from A to F.

Features

OWASP header checks — validates HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and COEP
Automatic grading — assigns a score (0-100) and letter grade (A-F) based on header coverage and configuration quality
Actionable warnings — flags weak configurations like unsafe-inline in CSP or missing max-age in HSTS
Bulk processing — scan hundreds of URLs concurrently in a single run
Redirect-aware — optionally follows redirects and reports the full redirect chain
Flexible HTTP method — use HEAD for speed or GET for servers that block HEAD requests

Input

Field	Type	Required	Default	Description
`urls`	`array`	No	`["https://google.com"]`	List of URLs to analyze for security headers
`url`	`string`	No	—	Single URL to analyze (use `urls` for bulk scanning)
`method`	`string`	No	`HEAD`	HTTP method to use. HEAD is faster; switch to GET if a server blocks HEAD requests
`followRedirects`	`boolean`	No	`true`	Whether to follow HTTP redirects before analyzing headers
`maxRedirects`	`integer`	No	`5`	Maximum number of redirects to follow per URL (0-20)
`timeoutSeconds`	`integer`	No	`15`	Request timeout per URL in seconds (1-120)
`concurrency`	`integer`	No	`5`	Number of URLs to process in parallel (1-25)

Input Example

{
  "urls": [
    "https://google.com",
    "https://github.com",
    "https://example.com"
  ],
  "method": "HEAD",
  "followRedirects": true,
  "concurrency": 10
}

Output

Each URL produces one dataset record containing the security grade, score, list of missing and misconfigured headers, and all response headers for reference.

Key output fields:

inputUrl (string) — the URL as submitted
finalUrl (string) — the URL after redirects (if followed)
status (number) — HTTP status code
grade (string) — letter grade from A (excellent) to F (critical gaps)
score (number) — numeric score from 0 to 100
missing (array) — list of required headers that are absent
warnings (array) — list of configuration issues found
headers (object) — all response headers (lower-cased keys)
redirects (array) — redirect chain traversed
checkedAt (string) — ISO 8601 timestamp

Output Example

{
  "inputUrl": "https://github.com",
  "finalUrl": "https://github.com/",
  "status": 200,
  "grade": "B",
  "score": 80,
  "missing": [
    "Referrer-Policy"
  ],
  "warnings": [
    "Missing Permissions-Policy.",
    "Missing Cross-Origin-Opener-Policy (COOP).",
    "Missing Cross-Origin-Resource-Policy (CORP).",
    "Missing Cross-Origin-Embedder-Policy (COEP)."
  ],
  "headers": {
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "content-security-policy": "default-src 'none'; base-uri 'self'; ...",
    "x-frame-options": "deny",
    "x-content-type-options": "nosniff"
  },
  "redirects": ["https://github.com/"],
  "checkedAt": "2026-03-09T12:00:00.000Z"
}

Pricing

Event	Cost
URL Scan	$0.001

Pay only for URLs successfully scanned. Respects your per-run spending limit.

Use Cases

Penetration test prep — pre-scan client domains to identify missing security headers before a full engagement
Compliance audits — verify OWASP header requirements across all production endpoints for SOC 2 or ISO 27001
DevOps CI/CD checks — schedule regular scans to catch header regressions after deployments
Agency security reports — generate client-ready security grades for website portfolios
M&A due diligence — quickly assess the security posture of acquisition targets

Actor	What it adds
SSL Cipher Checker	Audit TLS cipher suites and protocol versions alongside header analysis
SSL Certificate Monitor	Monitor certificate expiry dates to complement header-level security checks
Tech Stack Analyzer	Identify the CMS, frameworks, and CDNs behind each scanned URL

Security Headers Checker

pillowy_travel/security-headers-checker

Analyze HTTP security headers of websites and generate a security score. Detect missing headers like CSP, HSTS, X-Frame-Options, and more. Perfect for web security audits, vulnerability checks, learning, and automated monitoring.

SAHIL KUMAR

Security Headers Checker - Audit CSP, HSTS, XFO and more

scrappy_garden/security-headers-checker

Check common HTTP security headers for one or more URLs (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP). Useful for quick security hardening audits.

Bikram Adhikari

HTTP Headers Security Checker

automation-lab/http-headers-security-checker

This actor checks 12 HTTP security headers for any list of websites and produces a security grade with actionable findings. It identifies missing headers, weak configurations, and provides specific recommendations. Use it for security audits, compliance checks, or monitoring your web...

Stas Persiianenko

Http Header Inspector

zerobreak/http-header-inspector

HTTP header inspector that pulls response headers from any URL, scores them for security gaps, and flags missing CSP, HSTS, and X-Frame-Options, so teams can audit caching, redirects, and server config without running curl.

ZeroBreak

Website Security & Vulnerability Audit

smart-digital/website-security-vulnerability-audit

Automated security and vulnerability audit for websites. Detects WordPress plugin vulnerabilities, checks for updates, analyzes SSL/TLS, security headers, and CMS security

My Smart Digital

5.0

Security Headers Checker API | OWASP Audit

taroyamada/security-headers-checker

Audit OWASP security headers in bulk, grade each site, and monitor header drift across client or product portfolios.

太郎山田

Fast HTML Fetcher

rixin/fast-html-fetcher

From $0.2/1k reqs. Fast HTTP fetcher that returns raw HTML content, HTTP status codes, and response headers for any URL. Supports custom headers, user agent, proxy, redirect control, and SSL bypass. Perfect for web monitoring, content extraction, and API testing.

Rixin Sc

X-Frame-Options Header Checker - Prevent clickjacking

scrappy_garden/x-frame-options-header-checker

Fetches URLs and validates the X-Frame-Options response header (DENY/SAMEORIGIN). Flags missing/invalid/deprecated values and also detects CSP frame-ancestors. Outputs per-URL results plus SUMMARY and REPORT.

Bikram Adhikari

CORS Policy Checker - Audit Access-Control-* headers

scrappy_garden/cors-policy-checker

Check CORS response headers (Access-Control-Allow-Origin, -Credentials, -Methods, -Headers, -Expose-Headers, -Max-Age, Vary: Origin) for one or more URLs. Optionally performs a preflight OPTIONS check. Useful for debugging browser/API integrations and spotting risky CORS misconfigurations.

Bikram Adhikari

HSTS Header Checker - Strict-Transport-Security audit

scrappy_garden/hsts-header-checker

Fetches URLs and validates the Strict-Transport-Security (HSTS) response header. Parses directives (max-age/includeSubDomains/preload), flags missing/invalid configuration, and checks common best practices. Outputs per-URL results plus SUMMARY and REPORT.

Bikram Adhikari