# Security Headers Scanner (`pattonholdings/security-headers-scanner`) Actor Grade any website's HTTP security headers — letter grade (A+ to F), severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx, Apache, Express, and Cloudflare. Port of the 33-user Chrome extension to a programmatic API. - **URL**: https://apify.com/pattonholdings/security-headers-scanner.md - **Developed by:** [Coleton Patton](https://apify.com/pattonholdings) (community) - **Categories:** Developer tools - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Security Headers Scanner Grade any website's HTTP security headers — **letter grade A+ to F**, severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx / Apache / Express / Cloudflare. Direct port of the [Security Headers Chrome extension](https://chromewebstore.google.com/) (33 active users, organic CWS traction with zero marketing). Same evaluator logic, same scoring, same letter grade. ### Use cases - **Pre-launch security audit** — grade a staging site before going live - **Compliance dashboards** — feed grades into your SOC2 / ISO27001 evidence pipeline - **Vendor security review** — score third-party services your stack depends on - **Hosting provider QA** — check that your edge config actually shipped the headers you configured ### Input ```json { "url": "https://example.com" } ```` Or batch mode: ```json { "urls": [ "https://example.com", "https://stripe.com", "https://github.com" ] } ``` Max 1000 URLs per run. ### Output (per URL) ```json { "url": "https://example.com", "finalUrl": "https://example.com", "httpStatus": 200, "grade": "B", "percentage": 74, "score": 67, "maxScore": 90, "criticalIssues": 1, "importantIssues": 1, "optionalIssues": 0, "headers": [ { "name": "Content-Security-Policy", "status": "weak", "value": "script-src 'self' 'unsafe-inline'", "severity": "critical", "deprecated": false, "recommendation": "Set a restrictive policy..." } /* ... 9 more ... */ ], "rawHeaders": { "...": "..." }, "plainTextReport": "Security Headers Report\nURL: ...", "scannedAt": "2026-05-15T22:00:00.000Z", "scannerVersion": "1.3.0" } ``` ### Headers checked Ten security-relevant HTTP response headers: | Header | Severity | Weight | |---|---|---| | Content-Security-Policy | critical | 15 | | Strict-Transport-Security | critical | 15 | | X-Content-Type-Options | important | 10 | | X-Frame-Options | critical | 10 | | Referrer-Policy | important | 8 | | Permissions-Policy | important | 8 | | Cross-Origin-Opener-Policy | optional | 7 | | Cross-Origin-Resource-Policy | optional | 7 | | Cross-Origin-Embedder-Policy | optional | 7 | | X-XSS-Protection (deprecated) | optional | 3 | ### Grading - **A+** (95-100%) — top-tier, exceeds best practices - **A** (85-94%) — strong, minor gaps - **B** (70-84%) — adequate, weak in 2-3 areas - **C** (55-69%) — incomplete, multiple missing headers - **D** (40-54%) — significant gaps - **F** (< 40%) — no meaningful security headers ### Evaluator strictness (v1.3.0) This version uses the **strict evaluators** that match Mozilla Observatory and securityheaders.com baselines: - **Content-Security-Policy** with `'unsafe-inline'` OR `'unsafe-eval'` → weak - **Referrer-Policy** values outside the strict allowlist (e.g. `origin`, `no-referrer-when-downgrade`) → weak - **Permissions-Policy** with any wildcard `*` directive → weak Earlier scanner versions were more lenient. If you're comparing against scans from before May 2026, expect some grades to drop — these are corrections, not regressions in your security posture. ### Pricing - **Free tier:** 100 scans/month - **Standard:** $0.005 per URL scanned - **Subscription:** $19/month for 10,000 scans ### Author Built and maintained by Peak Post. Open source code at [peakpost.ca](https://peakpost.ca). # Actor input Schema ## `url` (type: `string`): The page you want graded. Either this or 'urls' is required. ## `urls` (type: `array`): Array of URLs to scan. Capped at 1000 per run. If both 'url' and 'urls' are provided, 'urls' takes precedence. ## Actor input object example ```json { "url": "https://example.com" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "url": "https://example.com" }; // Run the Actor and wait for it to finish const run = await client.actor("pattonholdings/security-headers-scanner").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "url": "https://example.com" } # Run the Actor and wait for it to finish run = client.actor("pattonholdings/security-headers-scanner").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "url": "https://example.com" }' | apify call pattonholdings/security-headers-scanner --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=pattonholdings/security-headers-scanner", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Security Headers Scanner", "description": "Grade any website's HTTP security headers — letter grade (A+ to F), severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx, Apache, Express, and Cloudflare. Port of the 33-user Chrome extension to a programmatic API.", "version": "1.3", "x-build-id": "zieVdX8eyvdaV874P" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/pattonholdings~security-headers-scanner/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-pattonholdings-security-headers-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/pattonholdings~security-headers-scanner/runs": { "post": { "operationId": "runs-sync-pattonholdings-security-headers-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/pattonholdings~security-headers-scanner/run-sync": { "post": { "operationId": "run-sync-pattonholdings-security-headers-scanner", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "url": { "title": "Single URL to scan", "type": "string", "description": "The page you want graded. Either this or 'urls' is required." }, "urls": { "title": "Multiple URLs (batch mode)", "maxItems": 1000, "uniqueItems": true, "type": "array", "description": "Array of URLs to scan. Capped at 1000 per run. If both 'url' and 'urls' are provided, 'urls' takes precedence.", "items": { "type": "string" } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```