SSL & Security Headers Checker (HTTP Probe)

Bulk site-health probe in a single record per URL: TLS certificate, security-header grade (A+ through F), redirect chain, TTFB, HTTP/2 and HTTP/3 negotiation, and IPv6 reachability. Pure Node, no browser, no proxies.

---

SSL & Security Headers Features

• TLS certificate capture: issuer, subject, validity window, daysToExpiry, signature algorithm, SAN list, serial number, OCSP stapling.
• Security-header grading modeled after securityheaders.com — A+ / A / B / C / D / F across the standard nine (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP).
• Lists every missing header so you can hand the row to a developer and say "this".
• Full redirect-chain capture (up to 10 hops) with status codes and from/to.
• HTTP/2 detection via ALPN, HTTP/3 detection via the Alt-Svc header.
• Optional IPv6 reachability probe — resolves AAAA, opens a family:6 TLS connection, records the boolean.
• Bare hosts auto-prefix to https://. Duplicates are removed before probing.

---

Who Uses Site Health Probe Data?

• DevOps and SRE — track SSL expiry windows across portfolios so a forgotten cert never takes a service down.
• Security teams — audit CSP, HSTS, and frame-ancestors posture across thousands of subdomains in one run.
• CI pipelines — fail a build when a deployment regresses on security headers or HTTPS posture.
• Penetration testers — bulk-fingerprint TLS, HTTP/2, HTTP/3, and IPv6 surface area before a deeper engagement.
• Compliance auditors — produce evidence of TLS hygiene across a portfolio without writing a custom probe each quarter.

---

How HTTP Probe Works

1. Pass in a list of URLs (or bare hosts; they auto-prefix to https://). Duplicates are dropped.
2. For each URL the actor runs a TLS handshake (with ALPN h2 negotiation), then issues an HTTP request — preferring HTTP/2 when negotiated, falling back to HTTP/1.1.
3. If followRedirects is on, every hop is captured and walked up to 10 levels with cycle detection.
4. The header grader checks the configured set, computes the A+ through F grade, and the row also records HTTP/3 (Alt-Svc) and optional IPv6 reachability.

---

Input

{
  "urls": ["https://example.com/", "https://github.com/", "https://cloudflare.com/"],
  "maxItems": 5,
  "followRedirects": true,
  "checkHeaders": [
    "content-security-policy",
    "strict-transport-security",
    "x-frame-options",
    "x-content-type-options",
    "referrer-policy",
    "permissions-policy",
    "cross-origin-opener-policy",
    "cross-origin-embedder-policy",
    "cross-origin-resource-policy"
  ],
  "runIPv6": false,
  "timeoutSec": 15,
  "concurrency": 25
}

Field	Type	Default	Description
urls	array	required	URLs (https://example.com/) or bare hosts (example.com). Bare hosts auto-prefix to https://.
maxItems	integer	5	Cap on URLs probed after dedup. Range 1-10000.
followRedirects	boolean	true	Follow up to 10 redirects and log each hop.
checkHeaders	array	the standard nine	Security headers to grade.
runIPv6	boolean	false	Probe IPv6 (AAAA + family:6 TLS connect). Records ipv6Reachable.
timeoutSec	integer	15	Per-URL HTTP timeout in seconds. Range 3-60.
concurrency	integer	25	Parallel probes. Hard cap at 50 to avoid socket exhaustion.

---

SSL & Security Headers Output Fields

{
  "url": "https://cloudflare.com/",
  "finalUrl": "https://www.cloudflare.com/",
  "status": 200,
  "redirectChain": ["301 https://cloudflare.com/ -> https://www.cloudflare.com/"],
  "ttfbMs": 142,
  "totalMs": 487,
  "ssl": {
    "subject": "Cloudflare, Inc. / cloudflare.com",
    "issuer": "Google Trust Services / WE1",
    "validFrom": "2026-03-12T20:59:51.000Z",
    "validTo": "2026-06-10T21:59:46.000Z",
    "daysToExpiry": 41,
    "sigAlg": "prime256v1",
    "sans": ["cloudflare.com", "*.cloudflare.com"],
    "serialNumber": "AABBCC",
    "ocspStapling": true
  },
  "headers": {
    "raw": {
      "strict-transport-security": "max-age=63072000; includeSubDomains; preload",
      "content-security-policy": "default-src 'self'"
    },
    "missingSecurity": ["cross-origin-embedder-policy"],
    "gradeApprox": "B"
  },
  "http2": true,
  "http3": true,
  "ipv6Reachable": false,
  "probedAt": "2026-04-30T12:00:00.000Z",
  "error": ""
}

Field	Type	Description
url	string	Probed URL (input).
finalUrl	string	URL after redirects (same as url when none followed).
status	number	HTTP status code of the final response.
redirectChain	array	Ordered list of hops as 'STATUS from -> to' strings.
ttfbMs	number	Time to first byte in ms.
totalMs	number	Total elapsed time in ms (TLS + request + body).
ssl	object	issuer, subject, validFrom, validTo, daysToExpiry, sigAlg, sans, serialNumber, ocspStapling.
headers	object	{raw, missingSecurity, gradeApprox}.
http2	boolean	True when the server negotiated HTTP/2 via ALPN.
http3	boolean	True when the server advertises HTTP/3 via Alt-Svc.
ipv6Reachable	boolean	True when the IPv6 probe connected (only meaningful when runIPv6=true).
probedAt	string	ISO timestamp when the probe completed.
error	string	Error message on failure (empty on success).

Grade rules

• A+ — every wanted header present, HSTS includes preload, HSTS max-age >= 1 year, CSP defined and free of unsafe-inline / unsafe-eval.
• A — every wanted header present, no A+ bonus.
• B — 7-8 of 9 present.
• C — 5-6 present.
• D — 3-4 present.
• F — fewer than 3 present, or no headers received at all.

---

Pricing

Two events. Basic probes are cheap. Full audits — runIPv6=true AND followRedirects=true AND the full standard nine headers graded — bill at the premium rate because they spend more time on the wire.

Event	Price
Actor start	$0.10
Basic probe	$0.002
Full audit	$0.004

Volume	Basic	Full audit
100 URLs	$0.30	$0.50
1,000 URLs	$2.10	$4.10
10,000 URLs	$20.10	$40.10

---

Limits

• maxItems caps at 10,000 per run.
• The Apify console tester has a 5-minute timeout — keep maxItems low (default 5) for in-browser testing.
• concurrency caps at 50 to avoid socket exhaustion on the runner.
• TLS handshake timeout is fixed at 8 seconds. HTTP request timeout defaults to 15 s, max 60 s.
• Up to 10 redirects per URL; cycles are detected via the visited-set and short-circuited.
• IPv6 reachability is opt-in. Many runners have IPv6 disabled at the host level — if you need definitive IPv6 results, run on a runner you control.

---

Related Actors

• DNS Domain Audit — pair for full DNS + WHOIS + email-auth + TLS posture per domain.
• Sitemap Walker Pro — discover URLs across a site, then probe each one.
• Structured Data Validator Pro — combine for SEO + security audits in the same run.

---

Need More Features?

Useful queued additions: TLS cipher details, certificate-chain depth, HSTS preload-list lookup, CT-log SCT count, MTA-STS / TLS-RPT, BIMI, CAA enforcement check. File an issue to vote one up.

Why Use SSL & Security Headers Checker?

• One row, full picture — TLS, headers, redirects, HTTP/2/3, IPv6, and timings in a single record. Sortable, filterable, and ready for a dashboard.
• Cheap at scale — $0.002 per basic probe. 10,000 sites for $20 puts the spreadsheet you've been maintaining out of business.
• No browser — pure Node sockets. Faster, cheaper, and less brittle than driving a Chromium for what is, fundamentally, a TLS handshake and a HEAD request.

---

Built by OrbTop.