HTTP Security Headers & OWASP Posture Auditor avatar

HTTP Security Headers & OWASP Posture Auditor

Pricing

from $20.00 / 1,000 url auditeds

Go to Apify Store
HTTP Security Headers & OWASP Posture Auditor

HTTP Security Headers & OWASP Posture Auditor

Audit HTTP security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP) for any URL. Returns a 0-100 grade, letter rating, and a prioritized fix list with exact header values to add. Single polite GET per URL, no crawling.

Pricing

from $20.00 / 1,000 url auditeds

Rating

0.0

(0)

Developer

Geo

Geo

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

Audit HTTP security response headers for any URL: CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · COOP · CORP — with a 0–100 grade and a prioritized fix list.

A single polite GET per URL — no crawling, no forms, no auth. Built for security teams, DevOps, QA, and agencies who need to find missing security headers across a portfolio of sites fast.

What it checks

HeaderWhy it mattersSeverity if missing
Content-Security-Policy (CSP)The strongest mitigation against XSS and data injection — the single most important security headerCritical
Strict-Transport-Security (HSTS)Forces HTTPS for all future visits (RFC 6797) — stops SSL-strip MITMHigh
X-Frame-OptionsClickjacking defense (DENY / SAMEORIGIN)Medium
X-Content-Type-OptionsStops MIME-sniffing XSS (nosniff)Medium
Referrer-PolicyControls referrer leakage to third partiesLow
Permissions-PolicyLocks down browser features (camera, mic, geolocation, payment)Low
Cross-Origin-Opener-Policy (COOP)Spectre-class isolation for top-level documentsLow
Cross-Origin-Resource-Policy (CORP)Controls who may load the resource cross-originLow
HTTPSSite must be served over HTTPS at allCritical (if absent)

Each URL gets a 0–100 posture score (A–F grade), an issue list sorted by severity with a copy-pasteable fix per issue, and a top_fix summary.

Use cases

  • Security & compliance teams — scan your asset inventory weekly to catch missing/CSP regressions.
  • DevOps / SRE — verify new deployments ship the full security-header set before they hit prod.
  • Agencies & consultants — generate a prioritized remediation report per client site in one run.
  • Bug-bounty / recon — quick posture triage on scoped targets.
  • PCI-DSS / SOC 2 — evidence that security headers are present and correctly configured across your perimeter.

Example input

{
"urls": ["https://example.com", "https://github.com"]
}

Example output (per URL)

{
"url": "https://example.com",
"http_status": 200,
"posture_score": 45,
"posture_grade": "F",
"https_enabled": true,
"csp": "missing",
"hsts": "missing",
"issue_count": 7,
"top_fix": "Add: Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'",
"issues": [
{ "severity": "critical", "area": "CSP", "message": "CSP header is missing…", "fix": "Add: Content-Security-Policy…" },
{ "severity": "high", "area": "HSTS", "message": "HSTS header is missing…", "fix": "Add: Strict-Transport-Security…" }
]
}

Pricing (pay-per-event)

EventUnitPrice
actor-startper run$0.0005
url-auditedper URL fetched & scored$0.005
issue-flaggedper issue flagged (capped at 8/URL)$0.002

Worked cost example — auditing 100 URLs, average 4 issues each: actor-start ($0.0005) + 100 × url-audited (100 × $0.005 = $0.50) + 400 × issue-flagged (400 × $0.002 = $0.80) = ~$1.31 for 100 URLs (≈ 1.3¢ per URL).

Integration

  • API / SDK — standard Apify actor; call via HTTP API, JS/Python SDK, or Schedule for weekly drift detection.
  • Webhooks — POST results to Make/n8n/Zapier on completion; alert on any grade drop.
  • Bulk — pass hundreds of URLs; sequential single-request politeness.
  • CI/CD — add to a deploy pipeline; fail the build if posture_grade drops below B.

Limitations & honest notes

  • One page per URL. The auditor fetches exactly the URL you provide and inspects the response headers. It does not crawl. To audit multiple pages, pass multiple URLs.
  • Headers set by CDN/WAF may differ from origin. A CDN like Cloudflare may add HSTS at the edge even if your origin doesn't set it. The audit sees what a real client receives.
  • CSP quality is heuristic. We detect wildcards, 'unsafe-inline', and 'unsafe-eval', but a full CSP evaluator (Google CSP Evaluator) is out of scope. A policy that passes our check may still have subtle gaps.
  • No authenticated scanning. If your app requires login to reach certain headers, this auditor will see only the pre-auth response. Use a custom UA / API-token URL where supported.
  • Ownership-gated for third-party use. The audit reads public response headers — safe for any site. For ToS comfort, an optional ownership-verification meta tag is supported.

Data source

A single polite HTTP GET to each user-supplied URL, using a descriptive user-agent. No scraping of page content, no form submission, no auth. Response headers are the only data extracted.