Bulk HTTP Security Headers Analyzer - CSP, HSTS avatar

Bulk HTTP Security Headers Analyzer - CSP, HSTS

Pricing

from $3.50 / 1,000 results

Go to Apify Store
Bulk HTTP Security Headers Analyzer - CSP, HSTS

Bulk HTTP Security Headers Analyzer - CSP, HSTS

Analyze HTTP security headers for thousands of URLs. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and more. Returns pass/fail per header plus a numeric security score. No API key, export to CSV/JSON. Ideal for security audits and compliance scanning.

Pricing

from $3.50 / 1,000 results

Rating

0.0

(0)

Developer

Logiover

Logiover

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

4 days ago

Last modified

Share

Bulk HTTP Security Headers Analyzer ๐Ÿ›ก๏ธ โ€” CSP, HSTS, Score & Grade (No API key)

Apify Actor No API key Pay per result Security & Web Infra Export


Audit HTTP security headers for thousands of URLs in one run. This bulk security header scanner checks every URL for Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy and more. Each check is weighted and scored, totaled into a 0โ€“100 security score, and mapped to a letter grade from A+ to F. Paste a list of URLs and the Actor fetches their headers in parallel via HTTP HEAD โ€” fast, lightweight, no page body downloaded. No API key, no login.

๐Ÿ† Why this security header scanner?

30+ fields per URL ยท thousands of URLs per run ยท 11 weighted checks + A+โ€“F grade ยท HEAD-only (no page body) ยท export to JSON / CSV / Excel. The unofficial HTTP security header checker API for security audits, compliance scanning and bug-bounty recon.

Looking for a security header checker, a CSP auditor, an HSTS scanner, a bulk HTTP security audit tool, or a free HTTP security analyzer API? This Actor does all the checks at scale.


โœจ What this Actor does / Key features

  • ๐Ÿ›ก๏ธ 11 security header checks โ€” CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, plus Server and X-Powered-By information-leak checks.
  • ๐ŸŽฏ Numeric score (0โ€“100) โ€” each check is weighted by security importance; get a total score and a letter grade (A+ to F).
  • ๐Ÿ“‹ Pass / fail per header โ€” every header gets its own boolean pass/fail column plus the raw header value.
  • ๐Ÿงฉ HSTS deep parse โ€” max-age, includeSubDomains and preload flags extracted into separate fields.
  • ๐Ÿšจ Missing headers list โ€” a comma-separated list of exactly which recommended security headers are absent.
  • ๐Ÿ” Information-leak checks โ€” flags when Server and X-Powered-By headers expose stack details.
  • โ†ช๏ธ Redirect-aware โ€” follows up to 5 redirects and reports the finalUrl (so http:// โ†’ https:// is handled transparently).
  • โšก HEAD-only, no body โ€” HTTP HEAD is fast; all security headers live in the response headers.
  • ๐Ÿ”‘ No API key โ€” works out of the box with standard HTTP requests; proxy support built in.

๐Ÿš€ Quick start (3 steps)

  1. Configure โ€” paste your list of URLs into URLs to Analyze, one per line (https:// is added automatically if missing). Adjust Max Concurrency for large lists.
  2. Run โ€” click Start. The Actor fetches headers from every URL in parallel and scores each one.
  3. Get your data โ€” open the Output tab and export to JSON, CSV, Excel or XML, or pull it via the Apify API.

๐Ÿ“ฅ Input

Give the Actor a urls list. Everything else is optional.

Example โ€” audit a portfolio of sites

{
"urls": ["https://github.com", "https://stackoverflow.com", "https://example.com"],
"maxConcurrency": 20,
"proxyConfiguration": { "useApifyProxy": true }
}

Example โ€” large list, higher concurrency

{
"urls": ["https://site1.com", "https://site2.com", "https://site3.com", "https://site4.com"],
"maxConcurrency": 50,
"proxyConfiguration": { "useApifyProxy": true }
}
FieldTypeDescription
urlsarrayRequired. URLs to scan for security headers, one per line. HTTP and HTTPS both supported; the scheme is added automatically if missing.
maxConcurrencyintegerHow many URLs to scan in parallel. Higher is faster. Default 20, max 100.
proxyConfigurationobjectProxy used for the HTTP requests (recommended to avoid rate limiting). Default: Apify Proxy (datacenter).

Tip: HTTPS-only URLs produce the most meaningful results โ€” plain HTTP sites won't return HSTS. Feed the output of a crawler or sitemap extractor into urls to audit an entire domain at once.

๐Ÿ“ค Output

One row per URL โ€” a full security-header report with 30+ fields, exportable to JSON, CSV, Excel or XML. Here is a trimmed sample record:

{
"url": "https://github.com",
"finalUrl": "https://github.com/",
"statusCode": "200",
"securityScore": "78",
"grade": "B",
"cspHeader": "default-src 'none'; ...",
"cspPass": "true",
"hstsHeader": "max-age=31536000; includeSubdomains; preload",
"hstsPass": "true",
"hstsMaxAge": "31536000",
"hstsIncludeSubdomains": "true",
"hstsPreload": "true",
"xFrameOptions": "deny",
"xFrameOptionsPass": "true",
"xContentTypeOptions": "nosniff",
"xContentTypeOptionsPass": "true",
"referrerPolicy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"referrerPolicyPass": "true",
"permissionsPolicy": "not set",
"permissionsPolicyPass": "false",
"crossOriginOpenerPolicy": "not set",
"crossOriginOpenerPolicyPass": "false",
"server": "GitHub.com",
"xPoweredBy": "not set",
"missingHeaders": "Permissions-Policy, Cross-Origin-Opener-Policy",
"passCount": "8",
"totalChecks": "11",
"checkedAt": "2026-07-06T12:00:00.000Z"
}

๐Ÿ’ก Use cases

  • Security posture audits โ€” scan your entire web portfolio and get a numeric score per URL; track improvement over time.
  • Compliance scanning โ€” check for missing HSTS, CSP and other headers referenced by SOC 2, ISO 27001 and PCI DSS controls.
  • Vendor risk assessment โ€” score third-party SaaS tools and partners on their HTTP security hygiene.
  • Bug-bounty recon โ€” identify sites with weak or missing security headers that broaden attack surface.
  • DevSecOps CI/CD โ€” run as a gate check after deployments to catch regressions in security header configuration.
  • Competitor benchmarking โ€” compare your security header posture against competitors on the same 0โ€“100 scale.

๐Ÿ‘ฅ Who uses it

Security engineers & pentesters ยท bug-bounty hunters ยท DevSecOps & platform teams ยท compliance & GRC analysts ยท SaaS vendor-risk teams ยท agencies auditing client sites.

๐Ÿ’ฐ Pricing

This Actor runs on a simple pay-per-result model โ€” you pay for the URL reports you extract, with no separate Apify platform fees to calculate. Try it on the free tier first, then scale up. See the Pricing tab on this page for the current rate.

๐Ÿ” How it works

For each URL, the Actor sends an HTTP HEAD request (with automatic redirect following) and extracts every security-relevant header from the response. Each header is checked against a best-practice definition:

  • CSP โ€” must be present and well-formed (length > 10 chars). Weight: 20.
  • HSTS โ€” must have max-age โ‰ฅ 31,536,000 (1 year). Weight: 15.
  • X-Frame-Options โ€” must be DENY or SAMEORIGIN. Weight: 12.
  • X-Content-Type-Options โ€” must equal nosniff. Weight: 10.
  • Referrer-Policy โ€” must restrict referrer data. Weight: 10.
  • Permissions-Policy โ€” must be present. Weight: 8.
  • COOP / CORP / COEP โ€” cross-origin isolation headers. Weight: 5 each.
  • Server / X-Powered-By โ€” information leak: points awarded if NOT present. Weight: 5 each.

Scores are weighted and normalized to 0โ€“100, then mapped to a letter grade (A+ โ‰ฅ90, A โ‰ฅ80, B โ‰ฅ70, C โ‰ฅ50, D โ‰ฅ30, F <30). The missingHeaders field lists every recommended header that's absent, so you know exactly what to fix.

๐Ÿงฐ Tips & best practices

  • HTTPS-only URLs produce more meaningful results โ€” plain HTTP sites won't return HSTS.
  • Filter by grade: "F" to prioritize the worst offenders first, or sort by securityScore descending for a leaderboard.
  • Schedule recurring weekly runs and diff datasets to track security header improvements over time.
  • Parse the missingHeaders field to generate prioritized remediation tickets per URL.
  • Use maxConcurrency: 20+ for large lists and keep Apify Proxy enabled.

โ“ Frequently Asked Questions

How do I check security headers for many URLs at once?

Paste your full URL list into the URLs to Analyze field and run the Actor once. It fetches headers from every URL in parallel via HTTP HEAD and returns one row per URL with pass/fail for each of the 11 checks, a score and a grade.

Which security headers are checked?

CSP, HSTS (with max-age โ‰ฅ 1 yr), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy and Cross-Origin-Embedder-Policy, plus Server and X-Powered-By information-leak checks.

Is there a free HTTP security header checker API?

Yes โ€” this Actor works as an on-demand HTTP security header checker API with no API key of its own. Trigger it and pull results via the Apify API, so you can wire security-header scoring into your own tooling or CI pipeline.

Can I scan security headers without an API key or login?

Yes. The Actor needs no account, cookies or API key on the target sites โ€” it sends standard HTTP HEAD requests. You only need an Apify account to run it.

How is the security score calculated?

Each header check carries a weight based on its security impact (CSP=20, HSTS=15, X-Frame-Options=12, and so on). The score is the weighted percentage of checks that pass, normalized to 0โ€“100. Grade: A+ โ‰ฅ90, A โ‰ฅ80, B โ‰ฅ70, C โ‰ฅ50, D โ‰ฅ30, F <30.

Can I export security header audits to CSV or JSON?

Yes โ€” every URL is one row with dedicated columns for each header and its pass/fail status, so the dataset drops straight into a spreadsheet or BI tool. Export as CSV, JSON, Excel or XML from the run page or the Apify API.

Does it follow redirects?

Yes โ€” the Actor follows up to 5 redirects automatically and reports the final URL in the finalUrl field, so http://example.com โ†’ https://example.com redirects are handled transparently.

What is a good HTTP security header score?

The Actor grades each URL from A+ to F on a 0โ€“100 scale; anything below a C usually means missing CSP, HSTS or X-Frame-Options headers you should add.

How much data can I get?

You can scan thousands of URLs in a single run. Raise maxConcurrency (up to 100) for large lists, and feed URLs from a sitemap or crawler to audit an entire domain at once.

Reading a site's HTTP response headers is a standard, lightweight request that downloads no page content. This Actor only inspects publicly returned headers; you are responsible for scanning within applicable terms and laws, and for using the results responsibly.

๐Ÿ”— More web-infra & security tools by logiover

Pair the security header analyzer with the rest of the bulk web-infrastructure and recon suite:

ActorWhat it does
Bulk SSL Certificate CheckerSSL/TLS cert expiry, issuer, SANs, TLS versions & chain validation
Bulk DNS Records LookupA, AAAA, MX, TXT, NS, CNAME, SOA, CAA for thousands of domains
Bulk WHOIS / RDAP LookupDomain registration, registrar, dates & nameservers in bulk
Bulk URL Status CheckerHTTP status codes, broken links & redirects for large URL lists
Bulk URL UnshortenerExpand shortened links and trace full redirect chains
Bulk Website Screenshot CaptureFull-page screenshots for many URLs at once
Subdomain FinderEnumerate subdomains for a domain โ€” attack-surface recon
Certificate Transparency MonitorMonitor CT logs for newly issued certificates
Website Tech Stack DetectorDetect frameworks, CMS, analytics & server tech
Website SEO Audit CrawlerOn-page SEO analysis across a whole site
Sitemap to URL CrawlerExpand sitemaps into a clean, dedup'd URL list to feed this scanner

๐Ÿ‘‰ Browse all logiover scrapers on Apify Store โ€” 180+ actors across real estate, jobs, crypto, social media & B2B data.

โฐ Scheduling & integration

Schedule this Actor on Apify to re-scan your web portfolio daily or weekly and track security-header posture over time. Export results to JSON, CSV or Excel, sync to Google Sheets, or push to your database, SIEM, BI tools and webhooks through the Apify API. Connect it to Make, n8n or Zapier to alert on new grade: "F" URLs or feed remediation tickets into Jira.

โญ Support & feedback

Found a bug or need an extra header check? Open an issue on the Issues tab โ€” response is usually fast. If this Actor saves you time, a โ˜…โ˜…โ˜…โ˜…โ˜… review on the Store page genuinely helps and is hugely appreciated. ๐Ÿ™

This Actor inspects only publicly returned HTTP response headers and downloads no page content. It is intended for legitimate security auditing, compliance and research use. You are responsible for scanning within the target sites' terms of service and any applicable local laws, and for handling results responsibly.


๐Ÿ“ Changelog

2026-07-06

  • โœจ README overhaul: badge/hero/callout structure, richer output sample, ready-to-run example scenarios, web-infra & security cross-promo links, expanded FAQ and clearer quick-start.

2026-07-01

  • Maintenance pass: re-verified end-to-end on live data and confirmed successful runs within the 5-minute quality window on the default input.
  • Sharpened Store metadata (SEO title & description) and expanded the FAQ with high-intent, long-tail questions for easier discovery in Google and Apify Store search.
  • Added ready-to-run example tasks that cover common real-world use cases.

2026-06-24

  • Initial release โ€” 11 security header checks with weighted scoring, A+ to F grading, no API key, CSV/JSON export.