Security Headers Auditor
Pricing
from $9.80 / 1,000 target auditeds
Security Headers Auditor
Audit website security headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
Pricing
from $9.80 / 1,000 target auditeds
Rating
0.0
(0)
Developer
junipr
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
18 hours ago
Last modified
Categories
Share
Audit website security headers such as Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
What This Actor Does
Security Headers Auditor checks supplied header snapshots or optional live URL headers for common browser security controls. It scores each target, flags missing or weak headers, compares previous/current header snapshots, and writes dataset rows plus summary reports.
The default run uses a built-in header fixture, so it produces useful output without fetching a live website or spending extra platform usage.
What This Actor Does Not Do
- It does not perform penetration testing or vulnerability exploitation.
- It does not guarantee compliance with any security standard.
- It does not provide legal, medical, or financial advice.
- It does not collect sensitive personal data.
- It does not require a browser or proxy.
Best Use Cases
- Audit a launch checklist for CSP, HSTS, nosniff, referrer, and permissions policies.
- Catch removed security headers after a CDN, reverse-proxy, or framework deployment.
- Detect weak CSP directives such as
unsafe-inlineor wildcard sources. - Generate a concise security-header report for a client or internal QA handoff.
- Run a small scheduled check against critical marketing, app, or docs pages.
Input Fields
targets: Header snapshots with optionalsourceId,sourceUrl,statusCode,headers, andpreviousHeaders.urls: Optional URLs to fetch only whenfetchUrlsis true.fetchUrls: Fetch headers over HTTP. Defaults tofalseso zero-config runs are local and cheap.comparePrevious: ComparepreviousHeadersagainst current headers.includeReport: WriteSECURITY_HEADERS_RESULTS.json,SECURITY_HEADERS_SUMMARY.json, andSECURITY_HEADERS_REPORT.mdto the key-value store.maxTargets: Maximum targets to audit. Default is25; hard cap is250.fetchTimeoutMs: HTTP timeout for optional URL fetches.debug: Enable extra troubleshooting logs.
Example Input
{"targets": [{"sourceId": "homepage","sourceUrl": "https://example.com","headers": {"strict-transport-security": "max-age=31536000; includeSubDomains; preload","content-security-policy": "default-src 'self'; object-src 'none'; frame-ancestors 'none'","x-content-type-options": "nosniff","referrer-policy": "strict-origin-when-cross-origin","permissions-policy": "geolocation=()"}}],"fetchUrls": false,"comparePrevious": true,"includeReport": true,"maxTargets": 10}
Output Fields
Each dataset item represents one audited target:
auditId: Stable hash for the header snapshot.sourceType,sourceId,sourceUrl, andstatusCode: Target provenance.status,severity, andsecurityScore: Overall result.checkedHeaders,presentHeaders,missingHeaders,weakHeaders, andcriticalFindings: Header inventory and risk.addedHeaders,removedHeaders, andchangedHeaders: Previous/current diff fields.- CSP fields such as
cspHasDefaultSrc,cspHasFrameAncestors,cspAllowsUnsafeInline, andcspAllowsWildcard. - HSTS fields such as
hstsMaxAgeSeconds,hstsIncludesSubdomains, andhstsPreload. - Header-specific fields for X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, COOP, and CORP.
issues: Structured issue list.recommendation: Suggested next action.checkedAt: ISO audit timestamp.
The key-value store also contains:
SECURITY_HEADERS_RESULTS.json: Full result array.SECURITY_HEADERS_SUMMARY.json: Run-level counts, scores, missing headers, and top issues.SECURITY_HEADERS_REPORT.md: Human-readable summary.
Example Output
{"sourceId": "sample-hardened-site","sourceUrl": "https://example.com","statusCode": 200,"status": "pass","severity": "none","securityScore": 100,"missingHeaders": [],"weakHeaders": [],"criticalFindings": [],"addedHeaders": ["content-security-policy","cross-origin-opener-policy","cross-origin-resource-policy","permissions-policy","referrer-policy","x-frame-options"],"changedHeaders": ["strict-transport-security"],"hasContentSecurityPolicy": true,"hasStrictTransportSecurity": true,"hstsMaxAgeSeconds": 31536000,"hstsIncludesSubdomains": true,"hasXContentTypeOptionsNoSniff": true,"issueCount": 0,"recommendation": "Security headers look strong for the supplied snapshot."}
Pricing And Events
This actor uses pay-per-event pricing with the P1 audit template:
actor-start: $0.025 per run for setup and target preparation.target-audited: $0.0098 per audited target, or $9.80 per 1,000 targets.report-generated: $0.05 when report artifacts are generated.
Platform usage pass-through is intentionally off for local header snapshots and lightweight HEAD requests. Keep fetchUrls off for fixture/default runs, and start with a small target set before enabling live URL checks.
Cost-Control Tips
- Use inline
headerssnapshots for deterministic CI and client QA checks. - Keep
fetchUrlsfalse unless you explicitly want the actor to perform HTTP requests. - Use
maxTargetsbetween 1 and 10 for initial runs. - Use
previousHeadersto catch regressions without crawling many pages.
Public Task Examples
This actor includes five prepared task concepts:
- Hardened baseline header check.
- Missing CSP and HSTS audit.
- Weak CSP detector.
- Header regression diff.
- Optional live URL header check.
FAQ
Does this replace a security review?
No. It is a header-audit tool, not a penetration test or complete security assessment.
Can it fetch live pages?
Yes, set fetchUrls to true and provide urls. The default is false to keep the Store quality run deterministic and cheap.
Does it need a browser?
No. It audits HTTP headers and supplied header snapshots.
Are diagnostics billed as dataset rows?
No. Target audit rows are billed via target-audited. Summary diagnostics are written to the key-value store, not as extra default dataset rows.
Troubleshooting
missing-content-security-policy: Add a CSP suited to the app before claiming browser-side hardening.missing-strict-transport-security: Add HSTS after confirming HTTPS is enforced for the hostname.csp-unsafe-inline: Remove inline scripts/styles or use nonces/hashes where practical.headers-removed: Compare CDN/reverse-proxy rules and deployment diffs.
Limitations
- This actor checks practical header presence and common weak patterns, not every possible browser security nuance.
- Live URL fetching can fail due network, redirects, auth, or bot filtering; inline snapshots are more deterministic.
- Header recommendations must be adapted to the application. Some policies require careful rollout to avoid breaking production.
Source And Safety Notes
Audit only URLs and header snapshots you are authorized to inspect. Do not upload sensitive internal headers unless you are allowed to process them in Apify.
Changelog
1.0.0: Initial production build with security-header scoring, previous/current diffing, KVS reports, PPE billing, examples, and fixture tests.
Premium local completion scope
This actor is prepared for local ChatGPT review as a premium, honestly scoped Store candidate. It processes user-supplied fixtures, records, snapshots, schemas, URLs, or exported source data with strict caps and deterministic logic before any live Apify replay.
It does not perform live Apify Store publication, live Store icon upload, live public task creation, or live pricing changes in this local package. Cloud replay remains a separate step. The local implementation is scoped to: Audit website security headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy.
Use the default input first. It is intentionally tiny and designed to complete quickly while still producing dataset rows, schema-validation evidence, billing-guard proof, and report artifacts.