HTTP Security Headers Auditor
Pricing
from $0.005 / actor start
HTTP Security Headers Auditor
Audit a public website's HTTP security response headers in one API call. Returns a letter grade, numeric score, per-header analysis, and actionable recommendations. Built for security teams, devops, and site migration QA.
Pricing
from $0.005 / actor start
Rating
0.0
(0)
Developer
Sanskar Jaiswal
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Audit a public website's HTTP security response headers in one API call. Returns a letter grade (A+ through F), a numeric score (0-100), per-header analysis, and actionable recommendations. Covers Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and more.
Use cases
- Security teams - audit client or vendor sites for missing or misconfigured security headers during assessments
- DevOps engineers - verify header configuration after deployments, CDN changes, or reverse-proxy rollouts
- Site migration QA - confirm security headers survive migrations between hosts, frameworks, or edge providers
- Pentest reconnaissance - quickly profile a target's security posture before deeper testing
- Compliance checks - batch-verify that HSTS and CSP are present across a portfolio of domains
Input
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
startUrl | string | yes | - | Public website URL to audit |
timeoutSeconds | integer | no | 10 | Per-request timeout (3-30 seconds) |
Example input
{"startUrl": "https://example.com","timeoutSeconds": 10}
Output
A single dataset item with the full audit:
| Field | Type | Description |
|---|---|---|
inputUrl | string | The URL provided as input |
finalUrl | string | Final URL after redirects |
https | boolean | Whether the final response was served over HTTPS |
ok | boolean | Whether the request succeeded and headers were inspected |
score | integer | Security headers score (0-100) |
grade | string | Letter grade (A+, A, B, C, D, E, F) |
checkedAt | string | ISO 8601 timestamp |
headers | array | Per-header analysis (see below) |
recommendations | array | Actionable recommendations for each missing or weak header |
headers array
Each entry contains:
| Field | Type | Description |
|---|---|---|
name | string | Human-readable header name |
header | string | Lowercase header name as sent by the server |
present | boolean | Whether the header was present in the response |
value | string | The raw header value (empty string if missing) |
status | string | good, warn, or missing |
note | string | Short explanation of the status |
weight | integer | Scoring weight for this header |
recommendation | string | null | Fix recommendation (null when status is good) |
Headers checked
| Header | Weight | HTTPS only |
|---|---|---|
| Strict-Transport-Security | 20 | yes |
| Content-Security-Policy | 20 | no |
| X-Content-Type-Options | 10 | no |
| X-Frame-Options | 10 | no |
| Referrer-Policy | 10 | no |
| Permissions-Policy | 10 | no |
| Cross-Origin-Opener-Policy | 5 | no |
| Cross-Origin-Resource-Policy | 5 | no |
| X-Permitted-Cross-Domain-Policies | 5 | no |
| X-XSS-Protection | 5 | no |
Grading scale
| Score range | Grade |
|---|---|
| 95-100 | A+ |
| 85-94 | A |
| 75-84 | B |
| 65-74 | C |
| 50-64 | D |
| 30-49 | E |
| 0-29 | F |
A good header earns full weight; a warn header earns half weight; a missing header earns zero. Strict-Transport-Security is only scored over HTTPS responses.
Example output
{"inputUrl": "https://example.com","finalUrl": "https://example.com/","https": true,"ok": true,"score": 45,"grade": "E","checkedAt": "2026-07-07T12:00:00.000Z","headers": [{"name": "Strict-Transport-Security","header": "strict-transport-security","present": false,"value": "","status": "missing","note": "Not set. Browsers can be downgraded to plaintext HTTP.","weight": 20,"recommendation": "Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses."},{"name": "Content-Security-Policy","header": "content-security-policy","present": false,"value": "","status": "missing","note": "Not set. Cross-site scripting and data injection are not mitigated.","weight": 20,"recommendation": "Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources."}],"recommendations": ["Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses.","Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources.","Set X-Content-Type-Options: nosniff to prevent MIME-type sniffing.","Set X-Frame-Options: DENY (or SAMEORIGIN) or use CSP frame-ancestors to prevent clickjacking.","Set Referrer-Policy: strict-origin-when-cross-origin to limit referrer leakage.","Set Permissions-Policy to restrict access to sensitive browser features (camera, microphone, geolocation).","Set Cross-Origin-Opener-Policy: same-origin to isolate browsing contexts.","Set Cross-Origin-Resource-Policy: same-site to block unauthorized cross-origin loads.","Set X-Permitted-Cross-Domain-Policies: none to disable Adobe cross-domain policy files.","Set X-XSS-Protection: 1; mode=block for legacy browser support (modern browsers rely on CSP)."]}
Security
- Only public HTTP/HTTPS URLs are accepted
- SSRF protection: localhost, private IPv4/IPv6, and DNS-resolving-to-private IPs are blocked
- URLs with embedded credentials are rejected
- Redirects are manually revalidated before following (max 3)
- No browser automation, no proxies, no cookies stored
Pricing
Pay per event:
| Event | Price |
|---|---|
| Actor start | $0.005 |
| Site audited | $0.01 |
A single-site audit costs approximately $0.015.
FAQ
How is this different from securityheaders.com? securityheaders.com is a web UI. This actor provides a programmatic JSON API suitable for automation, batch auditing, and integration into CI/CD or monitoring pipelines.
Does the actor check /.well-known/security.txt? No. That is a separate concern (vulnerability disclosure contact information). This actor focuses on HTTP security response headers. For security.txt auditing, use a dedicated security.txt actor.
Why is Strict-Transport-Security only scored over HTTPS? HSTS has no effect over plaintext HTTP. The actor skips it when the response is served over HTTP, so the score reflects only headers that are meaningful for the observed transport.
Can I audit multiple sites in one run? This actor audits one site per run. For bulk audits, schedule multiple runs.
Does the actor follow redirects? Yes, up to 3 redirects. Each redirect target is revalidated for SSRF safety before it is followed.