Security Headers Checker

Overview

Security Headers Checker is an Apify actor that audits HTTP security headers for multiple websites in bulk. It analyzes critical headers like Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Each URL receives a letter grade (A+ to F) based on its security header configuration. This tool is essential for security audits, compliance checks, and identifying potential vulnerabilities in web applications.

Features

• Check all major HTTP security headers in a single scan
• Assign letter grades (A+ through F) based on header completeness
• Analyze Content-Security-Policy (CSP) configuration
• Check HSTS (HTTP Strict Transport Security) settings
• Verify X-Frame-Options for clickjacking protection
• Check X-Content-Type-Options for MIME sniffing prevention
• Analyze Referrer-Policy settings
• Check Cross-Origin policies (COOP, CORP, COEP)
• Bulk processing of multiple URLs

Use Cases

• Security Auditing: Assess the security posture of your web applications
• Compliance Checks: Verify security headers meet organizational or regulatory requirements
• Penetration Testing Prep: Identify missing security headers before deeper testing
• Vendor Assessment: Evaluate the security practices of third-party services
• Development QA: Ensure proper headers are set before deploying to production

Input Configuration

Parameter	Type	Default	Description
urls	Array	["https://google.com", "https://github.com", "https://apify.com"]	URLs to check security headers for

Output Format

Each result includes the URL, overall security grade, and the value or status of each security header. Missing headers are clearly marked. Results are stored in the default Apify dataset and can be exported to CSV, JSON, or Excel for reporting.

Integration

Use this actor with Apify schedules for regular security monitoring. Send alerts via Apify integrations when headers change or grades drop. Access results programmatically via the Apify API for automated compliance workflows.

Limitations and Notes

Security headers are checked via HEAD requests, which should return the same headers as GET requests for most servers. Some CDNs or WAFs may add or modify headers. The grading system is a simplified assessment and does not replace a comprehensive security audit. CSP policies are captured but not analyzed for correctness (a weak CSP still gets credit for being present). The actor checks headers from Apify's data center and results may differ from specific geographic locations.