# Public Security Headers & Cookie Surface Audit Agent (`jacksu/public-security-headers-audit-agent`) Actor Audit public HTTP response security headers, HTTPS redirect behavior, and cookie attribute exposure without scanning, attacking, or storing cookie values. - **URL**: https://apify.com/jacksu/public-security-headers-audit-agent.md - **Developed by:** [jack su](https://apify.com/jacksu) (community) - **Categories:** Developer tools, Business, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $5.00 / 1,000 useful security header audit results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Public Security Headers & Cookie Surface Audit Agent Turn public web pages into compact, source-linked security header and cookie surface records for AI agents, vendor review, web operations, SEO/engineering audits, and lightweight due diligence. The Actor fetches the exact public HTTP/HTTPS URL you provide and returns one audit record per page: - common browser security headers and safe value summaries - missing required headers - weak header findings such as short HSTS, unsafe CSP signals, or weak frame protection - HTTPS redirect status for HTTP inputs - cookie summaries that keep only cookie names and attributes, never cookie values - risk labels, evidence URLs, redirect chain, `headerHash`, and `changeStatus` - confidence, completeness, missing fields, diagnostics, and readable errors ### Good Fits - Check whether a public website exposes HSTS, CSP, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and frame controls. - Summarize public Set-Cookie attributes without storing session values. - Compare a current audit with a previous record and avoid paying for unchanged results. - Give AI agents a small evidence-backed security-surface signal before deeper review. ### Not A Fit - This is not a vulnerability scanner, penetration test, compliance certification, uptime monitor, browser renderer, or malware detector. - It does not probe paths, submit forms, log in, use cookies, attack targets, fuzz parameters, bypass paywalls, or inspect private systems. - It does not store cookie values. Cookie output is limited to name and attributes such as Secure, HttpOnly, SameSite, Path, Domain, Max-Age, and Expires. ### Input ```json { "urls": ["https://apify.com/"], "requiredHeaders": [ "strict-transport-security", "content-security-policy", "x-content-type-options", "x-frame-options", "referrer-policy", "permissions-policy" ], "previousHeaderRecords": [], "requestTimeoutSecs": 15 } ```` `urls` must be public HTTP/HTTPS pages. URLs containing credentials, path parameters, query parameters, fragments, localhost, private-network hosts, `.local` names, or token-like account paths are rejected. ### Output ```json { "status": "ok", "inputUrl": "https://example.com", "finalUrl": "https://example.com", "siteOriginUrl": "https://example.com", "changeStatus": "new", "httpStatusCode": 200, "httpsRedirectStatus": "already_https", "pageTitle": "Secure Example", "securityHeaders": [ { "name": "strict-transport-security", "present": true, "valueSummary": "max-age=31536000; includeSubDomains; preload", "verdict": "strong" } ], "missingHeaders": [], "weakHeaderFindings": [], "cookieSummaries": [ { "name": "sessionid", "secure": true, "httpOnly": true, "sameSite": "Lax", "path": "/", "domain": "", "hostOnly": true, "riskLabels": [] } ], "riskLabels": ["no-obvious-header-or-cookie-risk"], "headerHash": "stable-sha256", "previousHeaderHash": "", "evidenceUrls": ["https://example.com"], "confidenceScore": 0.93, "completenessScore": 0.85, "diagnostics": ["cookiesDetected"] } ``` ### Pricing Behavior The intended Apify pricing model is pay-per-event: - `apify-actor-start`: small run-start event - `useful-security-header-audit-result`: charged only for useful public security-header audit records The useful event is not charged for failed fetches, private-network inputs, query-token inputs, unsupported URLs, unchanged records, or low-confidence records. Do not configure `apify-default-dataset-item` for this Actor. ### Safety - Public HTTP/HTTPS pages only. - Same-site redirects only. - HTML/text response size is capped at 3 MB, including gzip decompression. - Credentials, query strings, fragments, path params, sensitive account paths, token-like path segments, localhost, private IPs, non-global IPs, and `.local` hosts are rejected or redacted. - Cookie values are intentionally discarded and never returned. - Error messages are generic and do not persist exception details. # Actor input Schema ## `urls` (type: `array`): Public HTTP/HTTPS URLs to audit. Query parameters, fragments, credentials, path params, private-network hosts, and token-like account paths are rejected. ## `requiredHeaders` (type: `array`): Header names to require in the audit. Defaults cover common browser-facing security controls. ## `previousHeaderRecords` (type: `array`): Optional previous records from this Actor. If the header hash is unchanged, the record is written without charging the useful event. ## `requestTimeoutSecs` (type: `integer`): Maximum time in seconds to wait for each public page response. ## Actor input object example ```json { "urls": [ "https://apify.com/" ], "requiredHeaders": [ "strict-transport-security", "content-security-policy", "x-content-type-options", "x-frame-options", "referrer-policy", "permissions-policy" ], "previousHeaderRecords": [], "requestTimeoutSecs": 15 } ``` # Actor output Schema ## `datasetId` (type: `string`): No description # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = {}; // Run the Actor and wait for it to finish const run = await client.actor("jacksu/public-security-headers-audit-agent").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = {} # Run the Actor and wait for it to finish run = client.actor("jacksu/public-security-headers-audit-agent").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{}' | apify call jacksu/public-security-headers-audit-agent --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=jacksu/public-security-headers-audit-agent", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Public Security Headers & Cookie Surface Audit Agent", "description": "Audit public HTTP response security headers, HTTPS redirect behavior, and cookie attribute exposure without scanning, attacking, or storing cookie values.", "version": "0.1", "x-build-id": "4dpz3I1rShfEy9Xmr" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/jacksu~public-security-headers-audit-agent/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-jacksu-public-security-headers-audit-agent", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/jacksu~public-security-headers-audit-agent/runs": { "post": { "operationId": "runs-sync-jacksu-public-security-headers-audit-agent", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/jacksu~public-security-headers-audit-agent/run-sync": { "post": { "operationId": "run-sync-jacksu-public-security-headers-audit-agent", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "urls" ], "properties": { "urls": { "title": "Page URLs", "minItems": 1, "maxItems": 20, "type": "array", "description": "Public HTTP/HTTPS URLs to audit. Query parameters, fragments, credentials, path params, private-network hosts, and token-like account paths are rejected.", "items": { "type": "string" }, "default": [ "https://apify.com/" ] }, "requiredHeaders": { "title": "Required headers", "type": "array", "description": "Header names to require in the audit. Defaults cover common browser-facing security controls.", "items": { "type": "string" }, "default": [ "strict-transport-security", "content-security-policy", "x-content-type-options", "x-frame-options", "referrer-policy", "permissions-policy" ] }, "previousHeaderRecords": { "title": "Previous header audit records", "type": "array", "description": "Optional previous records from this Actor. If the header hash is unchanged, the record is written without charging the useful event.", "items": { "type": "object" }, "default": [] }, "requestTimeoutSecs": { "title": "Request timeout", "minimum": 5, "maximum": 30, "type": "integer", "description": "Maximum time in seconds to wait for each public page response.", "default": 15 } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```