Bulk HTTP Security Headers Analyzer - CSP, HSTS
Pricing
from $3.50 / 1,000 results
Bulk HTTP Security Headers Analyzer - CSP, HSTS
Analyze HTTP security headers for thousands of URLs. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and more. Returns pass/fail per header plus a numeric security score. No API key, export to CSV/JSON. Ideal for security audits and compliance scanning.
Pricing
from $3.50 / 1,000 results
Rating
0.0
(0)
Developer
Logiover
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
4 days ago
Last modified
Categories
Share
Bulk HTTP Security Headers Analyzer ๐ก๏ธ โ CSP, HSTS, Score & Grade (No API key)
Audit HTTP security headers for thousands of URLs in one run. This bulk security header scanner checks every URL for Content-Security-Policy (CSP), Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy and more. Each check is weighted and scored, totaled into a 0โ100 security score, and mapped to a letter grade from A+ to F. Paste a list of URLs and the Actor fetches their headers in parallel via HTTP HEAD โ fast, lightweight, no page body downloaded. No API key, no login.
๐ Why this security header scanner?
30+ fields per URL ยท thousands of URLs per run ยท 11 weighted checks + A+โF grade ยท HEAD-only (no page body) ยท export to JSON / CSV / Excel. The unofficial HTTP security header checker API for security audits, compliance scanning and bug-bounty recon.
Looking for a security header checker, a CSP auditor, an HSTS scanner, a bulk HTTP security audit tool, or a free HTTP security analyzer API? This Actor does all the checks at scale.
โจ What this Actor does / Key features
- ๐ก๏ธ 11 security header checks โ CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, plus
ServerandX-Powered-Byinformation-leak checks. - ๐ฏ Numeric score (0โ100) โ each check is weighted by security importance; get a total score and a letter grade (A+ to F).
- ๐ Pass / fail per header โ every header gets its own boolean pass/fail column plus the raw header value.
- ๐งฉ HSTS deep parse โ
max-age,includeSubDomainsandpreloadflags extracted into separate fields. - ๐จ Missing headers list โ a comma-separated list of exactly which recommended security headers are absent.
- ๐ Information-leak checks โ flags when
ServerandX-Powered-Byheaders expose stack details. - โช๏ธ Redirect-aware โ follows up to 5 redirects and reports the
finalUrl(sohttp://โhttps://is handled transparently). - โก HEAD-only, no body โ HTTP HEAD is fast; all security headers live in the response headers.
- ๐ No API key โ works out of the box with standard HTTP requests; proxy support built in.
๐ Quick start (3 steps)
- Configure โ paste your list of URLs into URLs to Analyze, one per line (
https://is added automatically if missing). Adjust Max Concurrency for large lists. - Run โ click Start. The Actor fetches headers from every URL in parallel and scores each one.
- Get your data โ open the Output tab and export to JSON, CSV, Excel or XML, or pull it via the Apify API.
๐ฅ Input
Give the Actor a urls list. Everything else is optional.
Example โ audit a portfolio of sites
{"urls": ["https://github.com", "https://stackoverflow.com", "https://example.com"],"maxConcurrency": 20,"proxyConfiguration": { "useApifyProxy": true }}
Example โ large list, higher concurrency
{"urls": ["https://site1.com", "https://site2.com", "https://site3.com", "https://site4.com"],"maxConcurrency": 50,"proxyConfiguration": { "useApifyProxy": true }}
| Field | Type | Description |
|---|---|---|
urls | array | Required. URLs to scan for security headers, one per line. HTTP and HTTPS both supported; the scheme is added automatically if missing. |
maxConcurrency | integer | How many URLs to scan in parallel. Higher is faster. Default 20, max 100. |
proxyConfiguration | object | Proxy used for the HTTP requests (recommended to avoid rate limiting). Default: Apify Proxy (datacenter). |
Tip: HTTPS-only URLs produce the most meaningful results โ plain HTTP sites won't return HSTS. Feed the output of a crawler or sitemap extractor into
urlsto audit an entire domain at once.
๐ค Output
One row per URL โ a full security-header report with 30+ fields, exportable to JSON, CSV, Excel or XML. Here is a trimmed sample record:
{"url": "https://github.com","finalUrl": "https://github.com/","statusCode": "200","securityScore": "78","grade": "B","cspHeader": "default-src 'none'; ...","cspPass": "true","hstsHeader": "max-age=31536000; includeSubdomains; preload","hstsPass": "true","hstsMaxAge": "31536000","hstsIncludeSubdomains": "true","hstsPreload": "true","xFrameOptions": "deny","xFrameOptionsPass": "true","xContentTypeOptions": "nosniff","xContentTypeOptionsPass": "true","referrerPolicy": "origin-when-cross-origin, strict-origin-when-cross-origin","referrerPolicyPass": "true","permissionsPolicy": "not set","permissionsPolicyPass": "false","crossOriginOpenerPolicy": "not set","crossOriginOpenerPolicyPass": "false","server": "GitHub.com","xPoweredBy": "not set","missingHeaders": "Permissions-Policy, Cross-Origin-Opener-Policy","passCount": "8","totalChecks": "11","checkedAt": "2026-07-06T12:00:00.000Z"}
๐ก Use cases
- Security posture audits โ scan your entire web portfolio and get a numeric score per URL; track improvement over time.
- Compliance scanning โ check for missing HSTS, CSP and other headers referenced by SOC 2, ISO 27001 and PCI DSS controls.
- Vendor risk assessment โ score third-party SaaS tools and partners on their HTTP security hygiene.
- Bug-bounty recon โ identify sites with weak or missing security headers that broaden attack surface.
- DevSecOps CI/CD โ run as a gate check after deployments to catch regressions in security header configuration.
- Competitor benchmarking โ compare your security header posture against competitors on the same 0โ100 scale.
๐ฅ Who uses it
Security engineers & pentesters ยท bug-bounty hunters ยท DevSecOps & platform teams ยท compliance & GRC analysts ยท SaaS vendor-risk teams ยท agencies auditing client sites.
๐ฐ Pricing
This Actor runs on a simple pay-per-result model โ you pay for the URL reports you extract, with no separate Apify platform fees to calculate. Try it on the free tier first, then scale up. See the Pricing tab on this page for the current rate.
๐ How it works
For each URL, the Actor sends an HTTP HEAD request (with automatic redirect following) and extracts every security-relevant header from the response. Each header is checked against a best-practice definition:
- CSP โ must be present and well-formed (length > 10 chars). Weight: 20.
- HSTS โ must have
max-ageโฅ 31,536,000 (1 year). Weight: 15. - X-Frame-Options โ must be
DENYorSAMEORIGIN. Weight: 12. - X-Content-Type-Options โ must equal
nosniff. Weight: 10. - Referrer-Policy โ must restrict referrer data. Weight: 10.
- Permissions-Policy โ must be present. Weight: 8.
- COOP / CORP / COEP โ cross-origin isolation headers. Weight: 5 each.
- Server / X-Powered-By โ information leak: points awarded if NOT present. Weight: 5 each.
Scores are weighted and normalized to 0โ100, then mapped to a letter grade (A+ โฅ90, A โฅ80, B โฅ70, C โฅ50, D โฅ30, F <30). The missingHeaders field lists every recommended header that's absent, so you know exactly what to fix.
๐งฐ Tips & best practices
- HTTPS-only URLs produce more meaningful results โ plain HTTP sites won't return HSTS.
- Filter by
grade: "F"to prioritize the worst offenders first, or sort bysecurityScoredescending for a leaderboard. - Schedule recurring weekly runs and diff datasets to track security header improvements over time.
- Parse the
missingHeadersfield to generate prioritized remediation tickets per URL. - Use
maxConcurrency: 20+ for large lists and keep Apify Proxy enabled.
โ Frequently Asked Questions
How do I check security headers for many URLs at once?
Paste your full URL list into the URLs to Analyze field and run the Actor once. It fetches headers from every URL in parallel via HTTP HEAD and returns one row per URL with pass/fail for each of the 11 checks, a score and a grade.
Which security headers are checked?
CSP, HSTS (with max-age โฅ 1 yr), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy and Cross-Origin-Embedder-Policy, plus Server and X-Powered-By information-leak checks.
Is there a free HTTP security header checker API?
Yes โ this Actor works as an on-demand HTTP security header checker API with no API key of its own. Trigger it and pull results via the Apify API, so you can wire security-header scoring into your own tooling or CI pipeline.
Can I scan security headers without an API key or login?
Yes. The Actor needs no account, cookies or API key on the target sites โ it sends standard HTTP HEAD requests. You only need an Apify account to run it.
How is the security score calculated?
Each header check carries a weight based on its security impact (CSP=20, HSTS=15, X-Frame-Options=12, and so on). The score is the weighted percentage of checks that pass, normalized to 0โ100. Grade: A+ โฅ90, A โฅ80, B โฅ70, C โฅ50, D โฅ30, F <30.
Can I export security header audits to CSV or JSON?
Yes โ every URL is one row with dedicated columns for each header and its pass/fail status, so the dataset drops straight into a spreadsheet or BI tool. Export as CSV, JSON, Excel or XML from the run page or the Apify API.
Does it follow redirects?
Yes โ the Actor follows up to 5 redirects automatically and reports the final URL in the finalUrl field, so http://example.com โ https://example.com redirects are handled transparently.
What is a good HTTP security header score?
The Actor grades each URL from A+ to F on a 0โ100 scale; anything below a C usually means missing CSP, HSTS or X-Frame-Options headers you should add.
How much data can I get?
You can scan thousands of URLs in a single run. Raise maxConcurrency (up to 100) for large lists, and feed URLs from a sitemap or crawler to audit an entire domain at once.
Is it legal to scan security headers?
Reading a site's HTTP response headers is a standard, lightweight request that downloads no page content. This Actor only inspects publicly returned headers; you are responsible for scanning within applicable terms and laws, and for using the results responsibly.
๐ More web-infra & security tools by logiover
Pair the security header analyzer with the rest of the bulk web-infrastructure and recon suite:
| Actor | What it does |
|---|---|
| Bulk SSL Certificate Checker | SSL/TLS cert expiry, issuer, SANs, TLS versions & chain validation |
| Bulk DNS Records Lookup | A, AAAA, MX, TXT, NS, CNAME, SOA, CAA for thousands of domains |
| Bulk WHOIS / RDAP Lookup | Domain registration, registrar, dates & nameservers in bulk |
| Bulk URL Status Checker | HTTP status codes, broken links & redirects for large URL lists |
| Bulk URL Unshortener | Expand shortened links and trace full redirect chains |
| Bulk Website Screenshot Capture | Full-page screenshots for many URLs at once |
| Subdomain Finder | Enumerate subdomains for a domain โ attack-surface recon |
| Certificate Transparency Monitor | Monitor CT logs for newly issued certificates |
| Website Tech Stack Detector | Detect frameworks, CMS, analytics & server tech |
| Website SEO Audit Crawler | On-page SEO analysis across a whole site |
| Sitemap to URL Crawler | Expand sitemaps into a clean, dedup'd URL list to feed this scanner |
๐ Browse all logiover scrapers on Apify Store โ 180+ actors across real estate, jobs, crypto, social media & B2B data.
โฐ Scheduling & integration
Schedule this Actor on Apify to re-scan your web portfolio daily or weekly and track security-header posture over time. Export results to JSON, CSV or Excel, sync to Google Sheets, or push to your database, SIEM, BI tools and webhooks through the Apify API. Connect it to Make, n8n or Zapier to alert on new grade: "F" URLs or feed remediation tickets into Jira.
โญ Support & feedback
Found a bug or need an extra header check? Open an issue on the Issues tab โ response is usually fast. If this Actor saves you time, a โ โ โ โ โ review on the Store page genuinely helps and is hugely appreciated. ๐
โ๏ธ Legal
This Actor inspects only publicly returned HTTP response headers and downloads no page content. It is intended for legitimate security auditing, compliance and research use. You are responsible for scanning within the target sites' terms of service and any applicable local laws, and for handling results responsibly.
๐ Changelog
2026-07-06
- โจ README overhaul: badge/hero/callout structure, richer output sample, ready-to-run example scenarios, web-infra & security cross-promo links, expanded FAQ and clearer quick-start.
2026-07-01
- Maintenance pass: re-verified end-to-end on live data and confirmed successful runs within the 5-minute quality window on the default input.
- Sharpened Store metadata (SEO title & description) and expanded the FAQ with high-intent, long-tail questions for easier discovery in Google and Apify Store search.
- Added ready-to-run example tasks that cover common real-world use cases.
2026-06-24
- Initial release โ 11 security header checks with weighted scoring, A+ to F grading, no API key, CSV/JSON export.