Public Security Headers & Cookie Surface Audit Agent

Turn public web pages into compact, source-linked security header and cookie surface records for AI agents, vendor review, web operations, SEO/engineering audits, and lightweight due diligence.

The Actor fetches the exact public HTTP/HTTPS URL you provide and returns one audit record per page:

• common browser security headers and safe value summaries
• missing required headers
• weak header findings such as short HSTS, unsafe CSP signals, or weak frame protection
• HTTPS redirect status for HTTP inputs
• cookie summaries that keep only cookie names and attributes, never cookie values
• risk labels, evidence URLs, redirect chain, headerHash, and changeStatus
• confidence, completeness, missing fields, diagnostics, and readable errors

Good Fits

• Check whether a public website exposes HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and frame controls.
• Summarize public Set-Cookie attributes without storing session values.
• Compare a current audit with a previous record and avoid paying for unchanged results.
• Give AI agents a small evidence-backed security-surface signal before deeper review.

Not A Fit

• This is not a vulnerability scanner, penetration test, compliance certification, uptime monitor, browser renderer, or malware detector.
• It does not probe paths, submit forms, log in, use cookies, attack targets, fuzz parameters, bypass paywalls, or inspect private systems.
• It does not store cookie values. Cookie output is limited to name and attributes such as Secure, HttpOnly, SameSite, Path, Domain, Max-Age, and Expires.

Input

{
  "urls": ["https://apify.com/"],
  "requiredHeaders": [
    "strict-transport-security",
    "content-security-policy",
    "x-content-type-options",
    "x-frame-options",
    "referrer-policy",
    "permissions-policy"
  ],
  "previousHeaderRecords": [],
  "requestTimeoutSecs": 15
}

urls must be public HTTP/HTTPS pages. URLs containing credentials, path parameters, query parameters, fragments, localhost, private-network hosts, .local names, or token-like account paths are rejected.

Output

{
  "status": "ok",
  "inputUrl": "https://example.com",
  "finalUrl": "https://example.com",
  "siteOriginUrl": "https://example.com",
  "changeStatus": "new",
  "httpStatusCode": 200,
  "httpsRedirectStatus": "already_https",
  "pageTitle": "Secure Example",
  "securityHeaders": [
    {
      "name": "strict-transport-security",
      "present": true,
      "valueSummary": "max-age=31536000; includeSubDomains; preload",
      "verdict": "strong"
    }
  ],
  "missingHeaders": [],
  "weakHeaderFindings": [],
  "cookieSummaries": [
    {
      "name": "sessionid",
      "secure": true,
      "httpOnly": true,
      "sameSite": "Lax",
      "path": "/",
      "domain": "",
      "hostOnly": true,
      "riskLabels": []
    }
  ],
  "riskLabels": ["no-obvious-header-or-cookie-risk"],
  "headerHash": "stable-sha256",
  "previousHeaderHash": "",
  "evidenceUrls": ["https://example.com"],
  "confidenceScore": 0.93,
  "completenessScore": 0.85,
  "diagnostics": ["cookiesDetected"]
}

Pricing Behavior

The intended Apify pricing model is pay-per-event:

• apify-actor-start: small run-start event
• useful-security-header-audit-result: charged only for useful public security-header audit records

The useful event is not charged for failed fetches, private-network inputs, query-token inputs, unsupported URLs, unchanged records, or low-confidence records.

Do not configure apify-default-dataset-item for this Actor.

Safety

• Public HTTP/HTTPS pages only.
• Same-site redirects only.
• HTML/text response size is capped at 3 MB, including gzip decompression.
• Credentials, query strings, fragments, path params, sensitive account paths, token-like path segments, localhost, private IPs, non-global IPs, and .local hosts are rejected or redacted.
• Cookie values are intentionally discarded and never returned.
• Error messages are generic and do not persist exception details.