Website Security Headers Checker avatar

Website Security Headers Checker

Pricing

Pay per usage

Go to Apify Store
Website Security Headers Checker

Website Security Headers Checker

Audit HTTP security headers for any URL: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Returns a 0-100 score + letter grade + actionable findings. $0.005 per URL.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Hojun Lee

Hojun Lee

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

a day ago

Last modified

Share

Audit HTTP security headers for any URL and get a security score (0-100) + letter grade (A+ to F) + actionable findings. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more. Batch up to 500 URLs. $0.005 per URL.


Why check security headers?

Security headers are the first line of defense against XSS, clickjacking, MIME sniffing, and data leakage. Yet most websites ship with zero or misconfigured headers — leaving visitors exposed. Major bug bounty programs (HackerOne, Bugcrowd) explicitly award points for missing headers.

This actor gives you a quantified, actionable report in seconds: what's missing, what's misconfigured, and how severe each issue is — without running a full pentest.


What you get

Per-URL output

{
"_type": "security_audit",
"url": "https://example.com",
"ok": true,
"score": 45,
"grade": "D",
"https": true,
"final_url": "https://example.com/",
"status_code": 200,
"server": "nginx/1.24",
"headers_present": {
"strict-transport-security": "max-age=31536000; includeSubDomains",
"x-content-type-options": "nosniff"
},
"headers_missing": [
"content-security-policy",
"x-frame-options",
"referrer-policy",
"permissions-policy"
],
"findings": [
{
"header": "content-security-policy",
"severity": "high",
"finding": "Missing content-security-policy — restricts allowed content sources"
}
]
}

Input Parameters

ParameterTypeDefaultDescription
urlsarrayList of URLs to audit (batch mode)
urlstringSingle URL to audit (used when urls is empty)
followRedirectsbooleantrueFollow HTTP → HTTPS redirects and audit the final URL
userAgentstringCustom User-Agent for requests

Scoring

HeaderWeightNotes
Content-Security-Policy25 ptsDeducted if unsafe-inline, unsafe-eval, or wildcards present
Strict-Transport-Security20 ptsDeducted if max-age < 1 year or missing includeSubDomains
X-Frame-Options15 ptsDENY or SAMEORIGIN
X-Content-Type-Options10 ptsMust be nosniff
Referrer-Policy10 pts
Permissions-Policy10 pts
X-XSS-Protection5 ptsLegacy but still checked
Cross-Origin-Opener-Policy5 pts
GradeScore
A+90-100
A80-89
B70-79
C60-69
D50-59
F0-49

Use cases

  1. Security audits — Bulk-check all your domains before a pentest engagement
  2. Compliance — Verify headers meet PCI-DSS / HIPAA / SOC2 requirements
  3. Bug bounty recon — Quickly scan targets for easy header wins
  4. DevOps monitoring — Schedule weekly checks; alert on regression
  5. Client reporting — Generate a scored report per domain for security consulting

Quick start

Single site

{ "url": "https://yourcompany.com" }

Bulk audit

{
"urls": [
"https://site1.com",
"https://site2.com"
]
}

Pricing

Pay-Per-Event: $0.005 per URL audited.

RunURLsCost
Single site audit1$0.005
10-domain report10$0.05
100-domain bulk check100$0.50


Feedback

Leave a review on Apify Store