Website Security Headers Checker
Pricing
Pay per usage
Website Security Headers Checker
Audit HTTP security headers for any URL: CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Returns a 0-100 score + letter grade + actionable findings. $0.005 per URL.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Hojun Lee
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
a day ago
Last modified
Categories
Share
Audit HTTP security headers for any URL and get a security score (0-100) + letter grade (A+ to F) + actionable findings. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more. Batch up to 500 URLs. $0.005 per URL.
Why check security headers?
Security headers are the first line of defense against XSS, clickjacking, MIME sniffing, and data leakage. Yet most websites ship with zero or misconfigured headers — leaving visitors exposed. Major bug bounty programs (HackerOne, Bugcrowd) explicitly award points for missing headers.
This actor gives you a quantified, actionable report in seconds: what's missing, what's misconfigured, and how severe each issue is — without running a full pentest.
What you get
Per-URL output
{"_type": "security_audit","url": "https://example.com","ok": true,"score": 45,"grade": "D","https": true,"final_url": "https://example.com/","status_code": 200,"server": "nginx/1.24","headers_present": {"strict-transport-security": "max-age=31536000; includeSubDomains","x-content-type-options": "nosniff"},"headers_missing": ["content-security-policy","x-frame-options","referrer-policy","permissions-policy"],"findings": [{"header": "content-security-policy","severity": "high","finding": "Missing content-security-policy — restricts allowed content sources"}]}
Input Parameters
| Parameter | Type | Default | Description |
|---|---|---|---|
urls | array | — | List of URLs to audit (batch mode) |
url | string | — | Single URL to audit (used when urls is empty) |
followRedirects | boolean | true | Follow HTTP → HTTPS redirects and audit the final URL |
userAgent | string | — | Custom User-Agent for requests |
Scoring
| Header | Weight | Notes |
|---|---|---|
Content-Security-Policy | 25 pts | Deducted if unsafe-inline, unsafe-eval, or wildcards present |
Strict-Transport-Security | 20 pts | Deducted if max-age < 1 year or missing includeSubDomains |
X-Frame-Options | 15 pts | DENY or SAMEORIGIN |
X-Content-Type-Options | 10 pts | Must be nosniff |
Referrer-Policy | 10 pts | |
Permissions-Policy | 10 pts | |
X-XSS-Protection | 5 pts | Legacy but still checked |
Cross-Origin-Opener-Policy | 5 pts |
| Grade | Score |
|---|---|
| A+ | 90-100 |
| A | 80-89 |
| B | 70-79 |
| C | 60-69 |
| D | 50-59 |
| F | 0-49 |
Use cases
- Security audits — Bulk-check all your domains before a pentest engagement
- Compliance — Verify headers meet PCI-DSS / HIPAA / SOC2 requirements
- Bug bounty recon — Quickly scan targets for easy header wins
- DevOps monitoring — Schedule weekly checks; alert on regression
- Client reporting — Generate a scored report per domain for security consulting
Quick start
Single site
{ "url": "https://yourcompany.com" }
Bulk audit
{"urls": ["https://site1.com","https://site2.com"]}
Pricing
Pay-Per-Event: $0.005 per URL audited.
| Run | URLs | Cost |
|---|---|---|
| Single site audit | 1 | $0.005 |
| 10-domain report | 10 | $0.05 |
| 100-domain bulk check | 100 | $0.50 |
Related actors
- Phishing URL Detector — Check URLs for phishing indicators
- Email & Domain OSINT — WHOIS, DNS, SSL, breach data
- HTML Metadata Extractor — OpenGraph, JSON-LD, meta tags