HTTP Headers Security Checker

Analyze HTTP security headers for any website. Returns a security grade (A+ to F) with detailed checks for HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, and more.

What does HTTP Headers Security Checker do?

This actor checks 12 HTTP security headers for any list of websites and produces a security grade with actionable findings. It identifies missing headers, weak configurations, and provides specific recommendations. Use it for security audits, compliance checks, or monitoring your web infrastructure.

Each website receives a score from 0 to 100 and a letter grade from A+ to F, along with detailed per-header analysis showing what is present, what is missing, and what needs improvement.

Headers checked

Header	Weight	Why it matters
Strict-Transport-Security (HSTS)	High	Enforces HTTPS connections
Content-Security-Policy (CSP)	High	Prevents XSS and injection attacks
X-Frame-Options	Medium	Prevents clickjacking
X-Content-Type-Options	Medium	Prevents MIME-sniffing
Referrer-Policy	Medium	Controls referrer information leakage
Permissions-Policy	Medium	Restricts browser feature access
X-XSS-Protection	Low	Legacy XSS filter (deprecated but still useful)
Cross-Origin-Opener-Policy	Low	Isolates browsing context
Cross-Origin-Resource-Policy	Low	Controls cross-origin resource sharing
Cross-Origin-Embedder-Policy	Low	Controls cross-origin embedding
X-DNS-Prefetch-Control	Low	Controls DNS prefetching
X-Permitted-Cross-Domain-Policies	Low	Controls Flash/PDF cross-domain access

Use cases

• Security audits -- check your websites against OWASP security header recommendations and identify gaps
• Compliance monitoring -- verify security headers meet policy requirements for PCI-DSS, SOC 2, or internal standards
• Competitive analysis -- compare security posture across competitors to benchmark your own configuration
• CI/CD integration -- automate header checks in deployment pipelines to catch regressions before production
• Vulnerability assessment -- identify low-hanging security improvements that can be fixed with simple header additions

Why use HTTP Headers Security Checker?

• Comprehensive coverage -- checks 12 security headers with weighted scoring that reflects real-world importance
• Actionable grades -- A+ to F grading makes it easy to prioritize which sites need attention
• Structured output -- every check includes severity level, current value, and specific improvement recommendations
• Batch processing -- scan hundreds of websites in a single run to audit your entire web portfolio
• API access -- integrate header monitoring into security dashboards, CI/CD pipelines, or GRC platforms
• Pay-per-event pricing -- only pay per website checked with no monthly fees

Input parameters

Parameter	Type	Required	Default	Description
urls	array	Yes	--	List of websites to check. Domain names without protocol are auto-prefixed with https://.

Example input

{
    "urls": ["apify.com", "google.com", "github.com"]
}

Output example

{
    "url": "https://apify.com",
    "grade": "B",
    "score": 72,
    "headers": {
        "strict-transport-security": "max-age=31536000; includeSubDomains",
        "x-frame-options": "SAMEORIGIN",
        "x-content-type-options": "nosniff"
    },
    "checks": [
        {
            "header": "strict-transport-security",
            "present": true,
            "value": "max-age=31536000; includeSubDomains",
            "severity": "pass",
            "message": "HSTS enabled: max-age=31536000, includeSubDomains"
        },
        {
            "header": "content-security-policy",
            "present": false,
            "value": null,
            "severity": "critical",
            "message": "CSP header missing — no protection against XSS and injection attacks"
        }
    ],
    "summary": {
        "passed": 5,
        "warnings": 2,
        "critical": 1,
        "missing": 4
    },
    "checkTimeMs": 342,
    "error": null,
    "checkedAt": "2026-03-01T12:00:00.000Z"
}

Grading scale

Grade	Score	Description
A+	90-100	Excellent -- all critical headers present and properly configured
A	80-89	Good -- most headers present with minor gaps
B	70-79	Fair -- some important headers missing
C	60-69	Below average -- multiple security gaps
D	40-59	Poor -- significant security headers missing
F	0-39	Failing -- critical security headers absent

How much does it cost?

HTTP Headers Security Checker uses Apify's pay-per-event pricing. You only pay for what you use.

Event	Price	Description
Start	$0.035	One-time per run
URL checked	$0.001	Per website checked

Cost examples:

• 5 websites: $0.035 + 5 x $0.001 = $0.04
• 100 websites: $0.035 + 100 x $0.001 = $0.135
• 1,000 websites: $0.035 + 1,000 x $0.001 = $1.035

Using the Apify API

You can start HTTP Headers Security Checker programmatically using the Apify API. Replace YOUR_TOKEN with your Apify API token.

Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_TOKEN' });
const run = await client.actor('automation-lab/http-headers-security-checker').call({
    urls: ['apify.com', 'google.com'],
});
const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Python

from apify_client import ApifyClient

client = ApifyClient('YOUR_TOKEN')
run = client.actor('automation-lab/http-headers-security-checker').call(run_input={
    'urls': ['apify.com', 'google.com'],
})
items = client.dataset(run['defaultDatasetId']).list_items().items
print(items)

Integrations

Connect HTTP Headers Security Checker with other tools using Apify integrations. Export results to Google Sheets for ongoing security tracking, send Slack alerts when grades drop below your threshold, trigger Make or Zapier workflows for automated remediation tickets, push data to n8n for custom security pipelines, or configure webhooks for real-time monitoring after deployments.

Tips and best practices

• Focus on critical severity items first -- missing HSTS and CSP headers have the biggest impact on your security posture.
• Schedule weekly scans after deployments to catch header regressions introduced by infrastructure changes or CDN updates.
• Compare grades across environments (staging vs production) to ensure security headers are consistent.
• Use the checks array to generate specific remediation tickets for your DevOps team with exact header values to implement.
• Combine with SSL Certificate Checker for a comprehensive transport security audit covering both certificates and headers.

FAQ

What is the most important security header to add? Content-Security-Policy (CSP) and Strict-Transport-Security (HSTS) carry the highest weight. Adding these two headers alone can move a site from grade D to grade B.

Does this actor check the actual header values or just presence? Both. The actor checks for header presence and evaluates the configured values. For example, it verifies that HSTS has an adequate max-age and that CSP is not set to an overly permissive policy.

Can I check sites behind a CDN like Cloudflare? Yes. The actor checks the headers as served to the client, which includes any headers added or modified by CDN providers. This reflects the actual security posture visitors experience.