Security Headers Auditor avatar

Security Headers Auditor

Pricing

from $9.80 / 1,000 target auditeds

Go to Apify Store
Security Headers Auditor

Security Headers Auditor

Audit website security headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy.

Pricing

from $9.80 / 1,000 target auditeds

Rating

0.0

(0)

Developer

junipr

junipr

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

18 hours ago

Last modified

Share

Audit website security headers such as Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, Referrer-Policy, and Permissions-Policy.

What This Actor Does

Security Headers Auditor checks supplied header snapshots or optional live URL headers for common browser security controls. It scores each target, flags missing or weak headers, compares previous/current header snapshots, and writes dataset rows plus summary reports.

The default run uses a built-in header fixture, so it produces useful output without fetching a live website or spending extra platform usage.

What This Actor Does Not Do

  • It does not perform penetration testing or vulnerability exploitation.
  • It does not guarantee compliance with any security standard.
  • It does not provide legal, medical, or financial advice.
  • It does not collect sensitive personal data.
  • It does not require a browser or proxy.

Best Use Cases

  • Audit a launch checklist for CSP, HSTS, nosniff, referrer, and permissions policies.
  • Catch removed security headers after a CDN, reverse-proxy, or framework deployment.
  • Detect weak CSP directives such as unsafe-inline or wildcard sources.
  • Generate a concise security-header report for a client or internal QA handoff.
  • Run a small scheduled check against critical marketing, app, or docs pages.

Input Fields

  • targets: Header snapshots with optional sourceId, sourceUrl, statusCode, headers, and previousHeaders.
  • urls: Optional URLs to fetch only when fetchUrls is true.
  • fetchUrls: Fetch headers over HTTP. Defaults to false so zero-config runs are local and cheap.
  • comparePrevious: Compare previousHeaders against current headers.
  • includeReport: Write SECURITY_HEADERS_RESULTS.json, SECURITY_HEADERS_SUMMARY.json, and SECURITY_HEADERS_REPORT.md to the key-value store.
  • maxTargets: Maximum targets to audit. Default is 25; hard cap is 250.
  • fetchTimeoutMs: HTTP timeout for optional URL fetches.
  • debug: Enable extra troubleshooting logs.

Example Input

{
"targets": [
{
"sourceId": "homepage",
"sourceUrl": "https://example.com",
"headers": {
"strict-transport-security": "max-age=31536000; includeSubDomains; preload",
"content-security-policy": "default-src 'self'; object-src 'none'; frame-ancestors 'none'",
"x-content-type-options": "nosniff",
"referrer-policy": "strict-origin-when-cross-origin",
"permissions-policy": "geolocation=()"
}
}
],
"fetchUrls": false,
"comparePrevious": true,
"includeReport": true,
"maxTargets": 10
}

Output Fields

Each dataset item represents one audited target:

  • auditId: Stable hash for the header snapshot.
  • sourceType, sourceId, sourceUrl, and statusCode: Target provenance.
  • status, severity, and securityScore: Overall result.
  • checkedHeaders, presentHeaders, missingHeaders, weakHeaders, and criticalFindings: Header inventory and risk.
  • addedHeaders, removedHeaders, and changedHeaders: Previous/current diff fields.
  • CSP fields such as cspHasDefaultSrc, cspHasFrameAncestors, cspAllowsUnsafeInline, and cspAllowsWildcard.
  • HSTS fields such as hstsMaxAgeSeconds, hstsIncludesSubdomains, and hstsPreload.
  • Header-specific fields for X-Frame-Options, nosniff, Referrer-Policy, Permissions-Policy, COOP, and CORP.
  • issues: Structured issue list.
  • recommendation: Suggested next action.
  • checkedAt: ISO audit timestamp.

The key-value store also contains:

  • SECURITY_HEADERS_RESULTS.json: Full result array.
  • SECURITY_HEADERS_SUMMARY.json: Run-level counts, scores, missing headers, and top issues.
  • SECURITY_HEADERS_REPORT.md: Human-readable summary.

Example Output

{
"sourceId": "sample-hardened-site",
"sourceUrl": "https://example.com",
"statusCode": 200,
"status": "pass",
"severity": "none",
"securityScore": 100,
"missingHeaders": [],
"weakHeaders": [],
"criticalFindings": [],
"addedHeaders": [
"content-security-policy",
"cross-origin-opener-policy",
"cross-origin-resource-policy",
"permissions-policy",
"referrer-policy",
"x-frame-options"
],
"changedHeaders": ["strict-transport-security"],
"hasContentSecurityPolicy": true,
"hasStrictTransportSecurity": true,
"hstsMaxAgeSeconds": 31536000,
"hstsIncludesSubdomains": true,
"hasXContentTypeOptionsNoSniff": true,
"issueCount": 0,
"recommendation": "Security headers look strong for the supplied snapshot."
}

Pricing And Events

This actor uses pay-per-event pricing with the P1 audit template:

  • actor-start: $0.025 per run for setup and target preparation.
  • target-audited: $0.0098 per audited target, or $9.80 per 1,000 targets.
  • report-generated: $0.05 when report artifacts are generated.

Platform usage pass-through is intentionally off for local header snapshots and lightweight HEAD requests. Keep fetchUrls off for fixture/default runs, and start with a small target set before enabling live URL checks.

Cost-Control Tips

  • Use inline headers snapshots for deterministic CI and client QA checks.
  • Keep fetchUrls false unless you explicitly want the actor to perform HTTP requests.
  • Use maxTargets between 1 and 10 for initial runs.
  • Use previousHeaders to catch regressions without crawling many pages.

Public Task Examples

This actor includes five prepared task concepts:

  • Hardened baseline header check.
  • Missing CSP and HSTS audit.
  • Weak CSP detector.
  • Header regression diff.
  • Optional live URL header check.

FAQ

Does this replace a security review?

No. It is a header-audit tool, not a penetration test or complete security assessment.

Can it fetch live pages?

Yes, set fetchUrls to true and provide urls. The default is false to keep the Store quality run deterministic and cheap.

Does it need a browser?

No. It audits HTTP headers and supplied header snapshots.

Are diagnostics billed as dataset rows?

No. Target audit rows are billed via target-audited. Summary diagnostics are written to the key-value store, not as extra default dataset rows.

Troubleshooting

  • missing-content-security-policy: Add a CSP suited to the app before claiming browser-side hardening.
  • missing-strict-transport-security: Add HSTS after confirming HTTPS is enforced for the hostname.
  • csp-unsafe-inline: Remove inline scripts/styles or use nonces/hashes where practical.
  • headers-removed: Compare CDN/reverse-proxy rules and deployment diffs.

Limitations

  • This actor checks practical header presence and common weak patterns, not every possible browser security nuance.
  • Live URL fetching can fail due network, redirects, auth, or bot filtering; inline snapshots are more deterministic.
  • Header recommendations must be adapted to the application. Some policies require careful rollout to avoid breaking production.

Source And Safety Notes

Audit only URLs and header snapshots you are authorized to inspect. Do not upload sensitive internal headers unless you are allowed to process them in Apify.

Changelog

  • 1.0.0: Initial production build with security-header scoring, previous/current diffing, KVS reports, PPE billing, examples, and fixture tests.

Premium local completion scope

This actor is prepared for local ChatGPT review as a premium, honestly scoped Store candidate. It processes user-supplied fixtures, records, snapshots, schemas, URLs, or exported source data with strict caps and deterministic logic before any live Apify replay.

It does not perform live Apify Store publication, live Store icon upload, live public task creation, or live pricing changes in this local package. Cloud replay remains a separate step. The local implementation is scoped to: Audit website security headers such as CSP, HSTS, X-Frame-Options, Referrer-Policy, and Permissions-Policy.

Use the default input first. It is intentionally tiny and designed to complete quickly while still producing dataset rows, schema-validation evidence, billing-guard proof, and report artifacts.