HTTP Security Headers Auditor avatar

HTTP Security Headers Auditor

Pricing

from $0.005 / actor start

Go to Apify Store
HTTP Security Headers Auditor

HTTP Security Headers Auditor

Audit a public website's HTTP security response headers in one API call. Returns a letter grade, numeric score, per-header analysis, and actionable recommendations. Built for security teams, devops, and site migration QA.

Pricing

from $0.005 / actor start

Rating

0.0

(0)

Developer

Sanskar Jaiswal

Sanskar Jaiswal

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

Audit a public website's HTTP security response headers in one API call. Returns a letter grade (A+ through F), a numeric score (0-100), per-header analysis, and actionable recommendations. Covers Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and more.

Use cases

  • Security teams - audit client or vendor sites for missing or misconfigured security headers during assessments
  • DevOps engineers - verify header configuration after deployments, CDN changes, or reverse-proxy rollouts
  • Site migration QA - confirm security headers survive migrations between hosts, frameworks, or edge providers
  • Pentest reconnaissance - quickly profile a target's security posture before deeper testing
  • Compliance checks - batch-verify that HSTS and CSP are present across a portfolio of domains

Input

FieldTypeRequiredDefaultDescription
startUrlstringyes-Public website URL to audit
timeoutSecondsintegerno10Per-request timeout (3-30 seconds)

Example input

{
"startUrl": "https://example.com",
"timeoutSeconds": 10
}

Output

A single dataset item with the full audit:

FieldTypeDescription
inputUrlstringThe URL provided as input
finalUrlstringFinal URL after redirects
httpsbooleanWhether the final response was served over HTTPS
okbooleanWhether the request succeeded and headers were inspected
scoreintegerSecurity headers score (0-100)
gradestringLetter grade (A+, A, B, C, D, E, F)
checkedAtstringISO 8601 timestamp
headersarrayPer-header analysis (see below)
recommendationsarrayActionable recommendations for each missing or weak header

headers array

Each entry contains:

FieldTypeDescription
namestringHuman-readable header name
headerstringLowercase header name as sent by the server
presentbooleanWhether the header was present in the response
valuestringThe raw header value (empty string if missing)
statusstringgood, warn, or missing
notestringShort explanation of the status
weightintegerScoring weight for this header
recommendationstring | nullFix recommendation (null when status is good)

Headers checked

HeaderWeightHTTPS only
Strict-Transport-Security20yes
Content-Security-Policy20no
X-Content-Type-Options10no
X-Frame-Options10no
Referrer-Policy10no
Permissions-Policy10no
Cross-Origin-Opener-Policy5no
Cross-Origin-Resource-Policy5no
X-Permitted-Cross-Domain-Policies5no
X-XSS-Protection5no

Grading scale

Score rangeGrade
95-100A+
85-94A
75-84B
65-74C
50-64D
30-49E
0-29F

A good header earns full weight; a warn header earns half weight; a missing header earns zero. Strict-Transport-Security is only scored over HTTPS responses.

Example output

{
"inputUrl": "https://example.com",
"finalUrl": "https://example.com/",
"https": true,
"ok": true,
"score": 45,
"grade": "E",
"checkedAt": "2026-07-07T12:00:00.000Z",
"headers": [
{
"name": "Strict-Transport-Security",
"header": "strict-transport-security",
"present": false,
"value": "",
"status": "missing",
"note": "Not set. Browsers can be downgraded to plaintext HTTP.",
"weight": 20,
"recommendation": "Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses."
},
{
"name": "Content-Security-Policy",
"header": "content-security-policy",
"present": false,
"value": "",
"status": "missing",
"note": "Not set. Cross-site scripting and data injection are not mitigated.",
"weight": 20,
"recommendation": "Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources."
}
],
"recommendations": [
"Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses.",
"Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources.",
"Set X-Content-Type-Options: nosniff to prevent MIME-type sniffing.",
"Set X-Frame-Options: DENY (or SAMEORIGIN) or use CSP frame-ancestors to prevent clickjacking.",
"Set Referrer-Policy: strict-origin-when-cross-origin to limit referrer leakage.",
"Set Permissions-Policy to restrict access to sensitive browser features (camera, microphone, geolocation).",
"Set Cross-Origin-Opener-Policy: same-origin to isolate browsing contexts.",
"Set Cross-Origin-Resource-Policy: same-site to block unauthorized cross-origin loads.",
"Set X-Permitted-Cross-Domain-Policies: none to disable Adobe cross-domain policy files.",
"Set X-XSS-Protection: 1; mode=block for legacy browser support (modern browsers rely on CSP)."
]
}

Security

  • Only public HTTP/HTTPS URLs are accepted
  • SSRF protection: localhost, private IPv4/IPv6, and DNS-resolving-to-private IPs are blocked
  • URLs with embedded credentials are rejected
  • Redirects are manually revalidated before following (max 3)
  • No browser automation, no proxies, no cookies stored

Pricing

Pay per event:

EventPrice
Actor start$0.005
Site audited$0.01

A single-site audit costs approximately $0.015.

FAQ

How is this different from securityheaders.com? securityheaders.com is a web UI. This actor provides a programmatic JSON API suitable for automation, batch auditing, and integration into CI/CD or monitoring pipelines.

Does the actor check /.well-known/security.txt? No. That is a separate concern (vulnerability disclosure contact information). This actor focuses on HTTP security response headers. For security.txt auditing, use a dedicated security.txt actor.

Why is Strict-Transport-Security only scored over HTTPS? HSTS has no effect over plaintext HTTP. The actor skips it when the response is served over HTTP, so the score reflects only headers that are meaningful for the observed transport.

Can I audit multiple sites in one run? This actor audits one site per run. For bulk audits, schedule multiple runs.

Does the actor follow redirects? Yes, up to 3 redirects. Each redirect target is revalidated for SSRF safety before it is followed.