HTTP Security Headers & OWASP Posture Auditor
Pricing
from $20.00 / 1,000 url auditeds
HTTP Security Headers & OWASP Posture Auditor
Audit HTTP security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP) for any URL. Returns a 0-100 grade, letter rating, and a prioritized fix list with exact header values to add. Single polite GET per URL, no crawling.
Pricing
from $20.00 / 1,000 url auditeds
Rating
0.0
(0)
Developer
Geo
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Audit HTTP security response headers for any URL: CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · COOP · CORP — with a 0–100 grade and a prioritized fix list.
A single polite GET per URL — no crawling, no forms, no auth. Built for security teams, DevOps, QA, and agencies who need to find missing security headers across a portfolio of sites fast.
What it checks
| Header | Why it matters | Severity if missing |
|---|---|---|
| Content-Security-Policy (CSP) | The strongest mitigation against XSS and data injection — the single most important security header | Critical |
| Strict-Transport-Security (HSTS) | Forces HTTPS for all future visits (RFC 6797) — stops SSL-strip MITM | High |
| X-Frame-Options | Clickjacking defense (DENY / SAMEORIGIN) | Medium |
| X-Content-Type-Options | Stops MIME-sniffing XSS (nosniff) | Medium |
| Referrer-Policy | Controls referrer leakage to third parties | Low |
| Permissions-Policy | Locks down browser features (camera, mic, geolocation, payment) | Low |
| Cross-Origin-Opener-Policy (COOP) | Spectre-class isolation for top-level documents | Low |
| Cross-Origin-Resource-Policy (CORP) | Controls who may load the resource cross-origin | Low |
| HTTPS | Site must be served over HTTPS at all | Critical (if absent) |
Each URL gets a 0–100 posture score (A–F grade), an issue list sorted by severity with a copy-pasteable fix per issue, and a top_fix summary.
Use cases
- Security & compliance teams — scan your asset inventory weekly to catch missing/CSP regressions.
- DevOps / SRE — verify new deployments ship the full security-header set before they hit prod.
- Agencies & consultants — generate a prioritized remediation report per client site in one run.
- Bug-bounty / recon — quick posture triage on scoped targets.
- PCI-DSS / SOC 2 — evidence that security headers are present and correctly configured across your perimeter.
Example input
{"urls": ["https://example.com", "https://github.com"]}
Example output (per URL)
{"url": "https://example.com","http_status": 200,"posture_score": 45,"posture_grade": "F","https_enabled": true,"csp": "missing","hsts": "missing","issue_count": 7,"top_fix": "Add: Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'","issues": [{ "severity": "critical", "area": "CSP", "message": "CSP header is missing…", "fix": "Add: Content-Security-Policy…" },{ "severity": "high", "area": "HSTS", "message": "HSTS header is missing…", "fix": "Add: Strict-Transport-Security…" }]}
Pricing (pay-per-event)
| Event | Unit | Price |
|---|---|---|
actor-start | per run | $0.0005 |
url-audited | per URL fetched & scored | $0.005 |
issue-flagged | per issue flagged (capped at 8/URL) | $0.002 |
Worked cost example — auditing 100 URLs, average 4 issues each:
actor-start ($0.0005) + 100 × url-audited (100 × $0.005 = $0.50) + 400 × issue-flagged (400 × $0.002 = $0.80) = ~$1.31 for 100 URLs (≈ 1.3¢ per URL).
Integration
- API / SDK — standard Apify actor; call via HTTP API, JS/Python SDK, or Schedule for weekly drift detection.
- Webhooks — POST results to Make/n8n/Zapier on completion; alert on any grade drop.
- Bulk — pass hundreds of URLs; sequential single-request politeness.
- CI/CD — add to a deploy pipeline; fail the build if posture_grade drops below B.
Limitations & honest notes
- One page per URL. The auditor fetches exactly the URL you provide and inspects the response headers. It does not crawl. To audit multiple pages, pass multiple URLs.
- Headers set by CDN/WAF may differ from origin. A CDN like Cloudflare may add HSTS at the edge even if your origin doesn't set it. The audit sees what a real client receives.
- CSP quality is heuristic. We detect wildcards,
'unsafe-inline', and'unsafe-eval', but a full CSP evaluator (Google CSP Evaluator) is out of scope. A policy that passes our check may still have subtle gaps. - No authenticated scanning. If your app requires login to reach certain headers, this auditor will see only the pre-auth response. Use a custom UA / API-token URL where supported.
- Ownership-gated for third-party use. The audit reads public response headers — safe for any site. For ToS comfort, an optional ownership-verification meta tag is supported.
Data source
A single polite HTTP GET to each user-supplied URL, using a descriptive user-agent. No scraping of page content, no form submission, no auth. Response headers are the only data extracted.