# HTTP Security Headers Auditor (`phoenix2810/http-security-headers-auditor`) Actor

Audit a public website's HTTP security response headers in one API call. Returns a letter grade, numeric score, per-header analysis, and actionable recommendations. Built for security teams, devops, and site migration QA.

- **URL**: https://apify.com/phoenix2810/http-security-headers-auditor.md
- **Developed by:** [Sanskar Jaiswal](https://apify.com/phoenix2810) (community)
- **Categories:** Developer tools, SEO tools, Open source
- **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks
- **User rating**: No ratings yet

## Pricing

from $0.005 / actor start

This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events.

Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event

## What's an Apify Actor?

Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases.
In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours,
and optionally produces a well-defined JSON output, datasets with results, or files in key-value store.
In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server.
Actors are written with capital "A".

## How to integrate an Actor?

If asked about integration, you help developers integrate Actors into their projects.
You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready.
The best way to integrate Actors is as follows.

In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md):

```bash
npm install apify-client
```

In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md):

```bash
pip install apify-client
```

In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md):

````bash
# MacOS / Linux
curl -fsSL https://apify.com/install-cli.sh | bash
# Windows
irm https://apify.com/install-cli.ps1 | iex
```bash

In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md).

If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md).

For usage examples, see the [API](#api) section below.

For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt).


# README

## HTTP Security Headers Auditor

Audit a public website's HTTP security response headers in one API call. Returns a letter grade (A+ through F), a numeric score (0-100), per-header analysis, and actionable recommendations. Covers Strict-Transport-Security, Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and more.

### Use cases

- **Security teams** - audit client or vendor sites for missing or misconfigured security headers during assessments
- **DevOps engineers** - verify header configuration after deployments, CDN changes, or reverse-proxy rollouts
- **Site migration QA** - confirm security headers survive migrations between hosts, frameworks, or edge providers
- **Pentest reconnaissance** - quickly profile a target's security posture before deeper testing
- **Compliance checks** - batch-verify that HSTS and CSP are present across a portfolio of domains

### Input

| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| `startUrl` | string | yes | - | Public website URL to audit |
| `timeoutSeconds` | integer | no | `10` | Per-request timeout (3-30 seconds) |

#### Example input

```json
{
  "startUrl": "https://example.com",
  "timeoutSeconds": 10
}
````

### Output

A single dataset item with the full audit:

| Field | Type | Description |
|---|---|---|
| `inputUrl` | string | The URL provided as input |
| `finalUrl` | string | Final URL after redirects |
| `https` | boolean | Whether the final response was served over HTTPS |
| `ok` | boolean | Whether the request succeeded and headers were inspected |
| `score` | integer | Security headers score (0-100) |
| `grade` | string | Letter grade (A+, A, B, C, D, E, F) |
| `checkedAt` | string | ISO 8601 timestamp |
| `headers` | array | Per-header analysis (see below) |
| `recommendations` | array | Actionable recommendations for each missing or weak header |

#### `headers` array

Each entry contains:

| Field | Type | Description |
|---|---|---|
| `name` | string | Human-readable header name |
| `header` | string | Lowercase header name as sent by the server |
| `present` | boolean | Whether the header was present in the response |
| `value` | string | The raw header value (empty string if missing) |
| `status` | string | `good`, `warn`, or `missing` |
| `note` | string | Short explanation of the status |
| `weight` | integer | Scoring weight for this header |
| `recommendation` | string | null | Fix recommendation (null when status is good) |

#### Headers checked

| Header | Weight | HTTPS only |
|---|---|---|
| Strict-Transport-Security | 20 | yes |
| Content-Security-Policy | 20 | no |
| X-Content-Type-Options | 10 | no |
| X-Frame-Options | 10 | no |
| Referrer-Policy | 10 | no |
| Permissions-Policy | 10 | no |
| Cross-Origin-Opener-Policy | 5 | no |
| Cross-Origin-Resource-Policy | 5 | no |
| X-Permitted-Cross-Domain-Policies | 5 | no |
| X-XSS-Protection | 5 | no |

#### Grading scale

| Score range | Grade |
|---|---|
| 95-100 | A+ |
| 85-94 | A |
| 75-84 | B |
| 65-74 | C |
| 50-64 | D |
| 30-49 | E |
| 0-29 | F |

A `good` header earns full weight; a `warn` header earns half weight; a `missing` header earns zero. Strict-Transport-Security is only scored over HTTPS responses.

#### Example output

```json
{
  "inputUrl": "https://example.com",
  "finalUrl": "https://example.com/",
  "https": true,
  "ok": true,
  "score": 45,
  "grade": "E",
  "checkedAt": "2026-07-07T12:00:00.000Z",
  "headers": [
    {
      "name": "Strict-Transport-Security",
      "header": "strict-transport-security",
      "present": false,
      "value": "",
      "status": "missing",
      "note": "Not set. Browsers can be downgraded to plaintext HTTP.",
      "weight": 20,
      "recommendation": "Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses."
    },
    {
      "name": "Content-Security-Policy",
      "header": "content-security-policy",
      "present": false,
      "value": "",
      "status": "missing",
      "note": "Not set. Cross-site scripting and data injection are not mitigated.",
      "weight": 20,
      "recommendation": "Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources."
    }
  ],
  "recommendations": [
    "Set Strict-Transport-Security: max-age=63072000; includeSubDomains; preload on all HTTPS responses.",
    "Set a Content-Security-Policy with a restrictive default-src and avoid 'unsafe-inline' and wildcard sources.",
    "Set X-Content-Type-Options: nosniff to prevent MIME-type sniffing.",
    "Set X-Frame-Options: DENY (or SAMEORIGIN) or use CSP frame-ancestors to prevent clickjacking.",
    "Set Referrer-Policy: strict-origin-when-cross-origin to limit referrer leakage.",
    "Set Permissions-Policy to restrict access to sensitive browser features (camera, microphone, geolocation).",
    "Set Cross-Origin-Opener-Policy: same-origin to isolate browsing contexts.",
    "Set Cross-Origin-Resource-Policy: same-site to block unauthorized cross-origin loads.",
    "Set X-Permitted-Cross-Domain-Policies: none to disable Adobe cross-domain policy files.",
    "Set X-XSS-Protection: 1; mode=block for legacy browser support (modern browsers rely on CSP)."
  ]
}
```

### Security

- Only public HTTP/HTTPS URLs are accepted
- SSRF protection: localhost, private IPv4/IPv6, and DNS-resolving-to-private IPs are blocked
- URLs with embedded credentials are rejected
- Redirects are manually revalidated before following (max 3)
- No browser automation, no proxies, no cookies stored

### Pricing

Pay per event:

| Event | Price |
|---|---|
| Actor start | $0.005 |
| Site audited | $0.01 |

A single-site audit costs approximately $0.015.

### FAQ

**How is this different from securityheaders.com?**
securityheaders.com is a web UI. This actor provides a programmatic JSON API suitable for automation, batch auditing, and integration into CI/CD or monitoring pipelines.

**Does the actor check /.well-known/security.txt?**
No. That is a separate concern (vulnerability disclosure contact information). This actor focuses on HTTP security response headers. For security.txt auditing, use a dedicated security.txt actor.

**Why is Strict-Transport-Security only scored over HTTPS?**
HSTS has no effect over plaintext HTTP. The actor skips it when the response is served over HTTP, so the score reflects only headers that are meaningful for the observed transport.

**Can I audit multiple sites in one run?**
This actor audits one site per run. For bulk audits, schedule multiple runs.

**Does the actor follow redirects?**
Yes, up to 3 redirects. Each redirect target is revalidated for SSRF safety before it is followed.

# Actor input Schema

## `startUrl` (type: `string`):

Public website URL to audit. The actor fetches the URL once and inspects the HTTP response headers. HTTP and HTTPS only. Private IP ranges are blocked.

## `timeoutSeconds` (type: `integer`):

Timeout for the HTTP request.

## Actor input object example

```json
{
  "startUrl": "https://example.com",
  "timeoutSeconds": 10
}
```

# Actor output Schema

## `results` (type: `string`):

No description

# API

You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup.

## JavaScript example

```javascript
import { ApifyClient } from 'apify-client';

// Initialize the ApifyClient with your Apify API token
// Replace the '<YOUR_API_TOKEN>' with your token
const client = new ApifyClient({
    token: '<YOUR_API_TOKEN>',
});

// Prepare Actor input
const input = {
    "startUrl": "https://example.com"
};

// Run the Actor and wait for it to finish
const run = await client.actor("phoenix2810/http-security-headers-auditor").call(input);

// Fetch and print Actor results from the run's dataset (if any)
console.log('Results from dataset');
console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`);
const { items } = await client.dataset(run.defaultDatasetId).listItems();
items.forEach((item) => {
    console.dir(item);
});

// 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs

```

## Python example

```python
from apify_client import ApifyClient

# Initialize the ApifyClient with your Apify API token
# Replace '<YOUR_API_TOKEN>' with your token.
client = ApifyClient("<YOUR_API_TOKEN>")

# Prepare the Actor input
run_input = { "startUrl": "https://example.com" }

# Run the Actor and wait for it to finish
run = client.actor("phoenix2810/http-security-headers-auditor").call(run_input=run_input)

# Fetch and print Actor results from the run's dataset (if there are any)
print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"])
for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

# 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start

```

## CLI example

```bash
echo '{
  "startUrl": "https://example.com"
}' |
apify call phoenix2810/http-security-headers-auditor --silent --output-dataset

```

## MCP server setup

```json
{
    "mcpServers": {
        "apify": {
            "command": "npx",
            "args": [
                "mcp-remote",
                "https://mcp.apify.com/?tools=phoenix2810/http-security-headers-auditor",
                "--header",
                "Authorization: Bearer <YOUR_API_TOKEN>"
            ]
        }
    }
}

```

## OpenAPI specification

```json
{
    "openapi": "3.0.1",
    "info": {
        "title": "HTTP Security Headers Auditor",
        "description": "Audit a public website's HTTP security response headers in one API call. Returns a letter grade, numeric score, per-header analysis, and actionable recommendations. Built for security teams, devops, and site migration QA.",
        "version": "0.1",
        "x-build-id": "QlVIewoahn5BNDHli"
    },
    "servers": [
        {
            "url": "https://api.apify.com/v2"
        }
    ],
    "paths": {
        "/acts/phoenix2810~http-security-headers-auditor/run-sync-get-dataset-items": {
            "post": {
                "operationId": "run-sync-get-dataset-items-phoenix2810-http-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        },
        "/acts/phoenix2810~http-security-headers-auditor/runs": {
            "post": {
                "operationId": "runs-sync-phoenix2810-http-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor and returns information about the initiated run in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK",
                        "content": {
                            "application/json": {
                                "schema": {
                                    "$ref": "#/components/schemas/runsResponseSchema"
                                }
                            }
                        }
                    }
                }
            }
        },
        "/acts/phoenix2810~http-security-headers-auditor/run-sync": {
            "post": {
                "operationId": "run-sync-phoenix2810-http-security-headers-auditor",
                "x-openai-isConsequential": false,
                "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.",
                "tags": [
                    "Run Actor"
                ],
                "requestBody": {
                    "required": true,
                    "content": {
                        "application/json": {
                            "schema": {
                                "$ref": "#/components/schemas/inputSchema"
                            }
                        }
                    }
                },
                "parameters": [
                    {
                        "name": "token",
                        "in": "query",
                        "required": true,
                        "schema": {
                            "type": "string"
                        },
                        "description": "Enter your Apify token here"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "OK"
                    }
                }
            }
        }
    },
    "components": {
        "schemas": {
            "inputSchema": {
                "type": "object",
                "required": [
                    "startUrl"
                ],
                "properties": {
                    "startUrl": {
                        "title": "Website URL",
                        "pattern": "^https?://.+",
                        "type": "string",
                        "description": "Public website URL to audit. The actor fetches the URL once and inspects the HTTP response headers. HTTP and HTTPS only. Private IP ranges are blocked."
                    },
                    "timeoutSeconds": {
                        "title": "Request timeout (seconds)",
                        "minimum": 3,
                        "maximum": 30,
                        "type": "integer",
                        "description": "Timeout for the HTTP request.",
                        "default": 10
                    }
                }
            },
            "runsResponseSchema": {
                "type": "object",
                "properties": {
                    "data": {
                        "type": "object",
                        "properties": {
                            "id": {
                                "type": "string"
                            },
                            "actId": {
                                "type": "string"
                            },
                            "userId": {
                                "type": "string"
                            },
                            "startedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "finishedAt": {
                                "type": "string",
                                "format": "date-time",
                                "example": "2025-01-08T00:00:00.000Z"
                            },
                            "status": {
                                "type": "string",
                                "example": "READY"
                            },
                            "meta": {
                                "type": "object",
                                "properties": {
                                    "origin": {
                                        "type": "string",
                                        "example": "API"
                                    },
                                    "userAgent": {
                                        "type": "string"
                                    }
                                }
                            },
                            "stats": {
                                "type": "object",
                                "properties": {
                                    "inputBodyLen": {
                                        "type": "integer",
                                        "example": 2000
                                    },
                                    "rebootCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "restartCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "resurrectCount": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "computeUnits": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "options": {
                                "type": "object",
                                "properties": {
                                    "build": {
                                        "type": "string",
                                        "example": "latest"
                                    },
                                    "timeoutSecs": {
                                        "type": "integer",
                                        "example": 300
                                    },
                                    "memoryMbytes": {
                                        "type": "integer",
                                        "example": 1024
                                    },
                                    "diskMbytes": {
                                        "type": "integer",
                                        "example": 2048
                                    }
                                }
                            },
                            "buildId": {
                                "type": "string"
                            },
                            "defaultKeyValueStoreId": {
                                "type": "string"
                            },
                            "defaultDatasetId": {
                                "type": "string"
                            },
                            "defaultRequestQueueId": {
                                "type": "string"
                            },
                            "buildNumber": {
                                "type": "string",
                                "example": "1.0.0"
                            },
                            "containerUrl": {
                                "type": "string"
                            },
                            "usage": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "integer",
                                        "example": 1
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            },
                            "usageTotalUsd": {
                                "type": "number",
                                "example": 0.00005
                            },
                            "usageUsd": {
                                "type": "object",
                                "properties": {
                                    "ACTOR_COMPUTE_UNITS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATASET_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "KEY_VALUE_STORE_WRITES": {
                                        "type": "number",
                                        "example": 0.00005
                                    },
                                    "KEY_VALUE_STORE_LISTS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_READS": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "REQUEST_QUEUE_WRITES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_INTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "DATA_TRANSFER_EXTERNAL_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_RESIDENTIAL_TRANSFER_GBYTES": {
                                        "type": "integer",
                                        "example": 0
                                    },
                                    "PROXY_SERPS": {
                                        "type": "integer",
                                        "example": 0
                                    }
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}
```
