# HTTP Security Headers & OWASP Posture Auditor (`gp005/security-headers-auditor`) Actor

Audit HTTP security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP) for any URL. Returns a 0-100 grade, letter rating, and a prioritized fix list with exact header values to add. Single polite GET per URL, no crawling.

- **URL**: https://apify.com/gp005/security-headers-auditor.md
- **Developed by:** [Geo](https://apify.com/gp005) (community)
- **Categories:** Developer tools, Automation
- **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

from $20.00 / 1,000 url auditeds

This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## HTTP Security Headers & OWASP Posture Auditor

> Audit HTTP security response headers for any URL: **CSP · HSTS · X-Frame-Options · X-Content-Type-Options · Referrer-Policy · Permissions-Policy · COOP · CORP** — with a 0–100 grade and a prioritized fix list.

A single polite GET per URL — no crawling, no forms, no auth. Built for **security teams, DevOps, QA, and agencies** who need to find missing security headers across a portfolio of sites fast.

### What it checks

| Header | Why it matters | Severity if missing |
|---|---|---|
| **Content-Security-Policy (CSP)** | The strongest mitigation against XSS and data injection — the single most important security header | **Critical** |
| **Strict-Transport-Security (HSTS)** | Forces HTTPS for all future visits (RFC 6797) — stops SSL-strip MITM | **High** |
| **X-Frame-Options** | Clickjacking defense (`DENY` / `SAMEORIGIN`) | **Medium** |
| **X-Content-Type-Options** | Stops MIME-sniffing XSS (`nosniff`) | **Medium** |
| **Referrer-Policy** | Controls referrer leakage to third parties | **Low** |
| **Permissions-Policy** | Locks down browser features (camera, mic, geolocation, payment) | **Low** |
| **Cross-Origin-Opener-Policy (COOP)** | Spectre-class isolation for top-level documents | **Low** |
| **Cross-Origin-Resource-Policy (CORP)** | Controls who may load the resource cross-origin | **Low** |
| **HTTPS** | Site must be served over HTTPS at all | **Critical** (if absent) |

Each URL gets a **0–100 posture score** (A–F grade), an issue list sorted by severity with a copy-pasteable **fix** per issue, and a `top_fix` summary.

### Use cases

- **Security & compliance teams** — scan your asset inventory weekly to catch missing/CSP regressions.
- **DevOps / SRE** — verify new deployments ship the full security-header set before they hit prod.
- **Agencies & consultants** — generate a prioritized remediation report per client site in one run.
- **Bug-bounty / recon** — quick posture triage on scoped targets.
- **PCI-DSS / SOC 2** — evidence that security headers are present and correctly configured across your perimeter.

### Example input

```json
{
  "urls": ["https://example.com", "https://github.com"]
}
````

### Example output (per URL)

```json
{
  "url": "https://example.com",
  "http_status": 200,
  "posture_score": 45,
  "posture_grade": "F",
  "https_enabled": true,
  "csp": "missing",
  "hsts": "missing",
  "issue_count": 7,
  "top_fix": "Add: Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'; frame-ancestors 'none'",
  "issues": [
    { "severity": "critical", "area": "CSP", "message": "CSP header is missing…", "fix": "Add: Content-Security-Policy…" },
    { "severity": "high", "area": "HSTS", "message": "HSTS header is missing…", "fix": "Add: Strict-Transport-Security…" }
  ]
}
```

### Pricing (pay-per-event)

| Event | Unit | Price |
|---|---|---|
| `actor-start` | per run | $0.0005 |
| `url-audited` | per URL fetched & scored | $0.005 |
| `issue-flagged` | per issue flagged (capped at 8/URL) | $0.002 |

**Worked cost example** — auditing 100 URLs, average 4 issues each:
`actor-start` ($0.0005) + 100 × `url-audited` (100 × $0.005 = $0.50) + 400 × `issue-flagged` (400 × $0.002 = $0.80) = **~$1.31 for 100 URLs** (≈ 1.3¢ per URL).

### Integration

- **API / SDK** — standard Apify actor; call via HTTP API, JS/Python SDK, or Schedule for weekly drift detection.
- **Webhooks** — POST results to Make/n8n/Zapier on completion; alert on any grade drop.
- **Bulk** — pass hundreds of URLs; sequential single-request politeness.
- **CI/CD** — add to a deploy pipeline; fail the build if posture\_grade drops below B.

### Limitations & honest notes

- **One page per URL.** The auditor fetches exactly the URL you provide and inspects the response headers. It does not crawl. To audit multiple pages, pass multiple URLs.
- **Headers set by CDN/WAF may differ from origin.** A CDN like Cloudflare may add HSTS at the edge even if your origin doesn't set it. The audit sees what a real client receives.
- **CSP quality is heuristic.** We detect wildcards, `'unsafe-inline'`, and `'unsafe-eval'`, but a full CSP evaluator (Google CSP Evaluator) is out of scope. A policy that passes our check may still have subtle gaps.
- **No authenticated scanning.** If your app requires login to reach certain headers, this auditor will see only the pre-auth response. Use a custom UA / API-token URL where supported.
- **Ownership-gated for third-party use.** The audit reads public response headers — safe for any site. For ToS comfort, an optional ownership-verification meta tag is supported.

### Data source

A single polite HTTP GET to each user-supplied URL, using a descriptive user-agent. No scraping of page content, no form submission, no auth. Response headers are the only data extracted.

# Actor input Schema

## `urls` (type: `array`):

URLs to audit for HTTP security headers. Ideally your own sites. The auditor issues a single polite GET per URL and inspects response headers — no crawling, no forms, no auth.

## `verifyToken` (type: `string`):

If set, the auditor looks for <meta name="headers-audit-verify" content="TOKEN"> on the page and marks ownership\_verified=true when it matches. Recommended when auditing third-party domains to prove you own them.

## `timeoutSecs` (type: `integer`):

Timeout for each HTTP fetch.

## Actor input object example

```json
{
  "urls": [
    "https://yourbrand.com",
    "https://app.yourbrand.com"
  ],
  "timeoutSecs": 15
}
```

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "urls": [
        "https://example.com"
    ]
};

// Run the Actor and wait for it to finish
const run = await client.actor("gp005/security-headers-auditor").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = { "urls": ["https://example.com"] }

# Run the Actor and wait for it to finish
run = client.actor("gp005/security-headers-auditor").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "urls": [
    "https://example.com"
  ]
}' |
apify call gp005/security-headers-auditor --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=gp005/security-headers-auditor",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "HTTP Security Headers & OWASP Posture Auditor",
        "description": "Audit HTTP security response headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP) for any URL. Returns a 0-100 grade, letter rating, and a prioritized fix list with exact header values to add. Single polite GET per URL, no crawling.",
        "version": "0.1",
        "x-build-id": "k3nGMXaNIMwBPCz1s"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/gp005~security-headers-auditor/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-gp005-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/gp005~security-headers-auditor/runs": {
            "post": {
                "operationId": "runs-sync-gp005-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/gp005~security-headers-auditor/run-sync": {
            "post": {
                "operationId": "run-sync-gp005-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "required": [
                    "urls"
                ],
                "properties": {
                    "urls": {
                        "title": "URLs to audit",
                        "type": "array",
                        "description": "URLs to audit for HTTP security headers. Ideally your own sites. The auditor issues a single polite GET per URL and inspects response headers — no crawling, no forms, no auth.",
                        "items": {
                            "type": "string"
                        }
                    },
                    "verifyToken": {
                        "title": "Ownership verification token (optional)",
                        "type": "string",
                        "description": "If set, the auditor looks for <meta name=\"headers-audit-verify\" content=\"TOKEN\"> on the page and marks ownership_verified=true when it matches. Recommended when auditing third-party domains to prove you own them."
                    },
                    "timeoutSecs": {
                        "title": "Per-request timeout (seconds)",
                        "minimum": 3,
                        "maximum": 60,
                        "type": "integer",
                        "description": "Timeout for each HTTP fetch.",
                        "default": 15
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
