Security Headers Checker
Pricing
$0.50 / 1,000 checked urls
Security Headers Checker
Check public URLs for common HTTP security headers including HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Export a simple website security header report as JSON or CSV.
Pricing
$0.50 / 1,000 checked urls
Rating
0.0
(0)
Developer
mohamed senator
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
2 days ago
Last modified
Categories
Share
Audit public URLs for common HTTP security headers. This Apify Actor checks whether each URL uses HTTPS and whether the final response includes headers such as HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
What does this Actor do?
Security Headers Checker helps website owners, agencies, developers, and no-code operators run quick security-header QA checks across a list of public URLs. It is useful before launches, after migrations, or as a recurring lightweight website health check.
The Actor uses only public URLs that you provide. It does not log in, bypass CAPTCHA, scan private networks, exploit vulnerabilities, or perform penetration testing.
Typical use cases
- Check client websites for missing security headers
- Verify HTTPS and HSTS after a migration
- Audit landing pages before a campaign launch
- Export a simple security header report to CSV or JSON
- Monitor important public URLs on a schedule
Input
Add public http:// or https:// URLs. Local, private-network, malformed, FTP, and non-HTTP URLs are rejected.
{"startUrls": [{ "url": "https://example.com" },{ "url": "https://www.iana.org" }],"maxResults": 100,"requestTimeoutSecs": 20}
Output
Each checked URL is saved as one item in the Apify Dataset.
| Field | Meaning |
|---|---|
originalUrl | URL you provided |
finalUrl | Final URL after redirects |
statusCode | Final HTTP status code |
ok | true for successful 2xx/3xx final status without request error |
usesHttps | Whether the final URL uses HTTPS |
strictTransportSecurity | Value of Strict-Transport-Security if present |
contentSecurityPolicy | Value of Content-Security-Policy if present |
xFrameOptions | Value of X-Frame-Options if present |
xContentTypeOptions | Value of X-Content-Type-Options if present |
referrerPolicy | Value of Referrer-Policy if present |
permissionsPolicy | Value of Permissions-Policy if present |
missingHeaders | Common security headers not found |
score | Simple 0–100 score based on present headers |
error | Clear error message if the URL could not be checked |
checkedAt | ISO timestamp of the check |
Example output
{"originalUrl": "https://example.com/","finalUrl": "https://example.com/","statusCode": 200,"ok": true,"usesHttps": true,"strictTransportSecurity": null,"contentSecurityPolicy": null,"xFrameOptions": null,"xContentTypeOptions": "nosniff","referrerPolicy": null,"permissionsPolicy": null,"missingHeaders": ["strict-transport-security", "content-security-policy"],"score": 17,"error": null,"checkedAt": "2026-07-04T00:00:00.000Z"}
Limitations
- This Actor checks public response headers only.
- It is not a penetration test, vulnerability scanner, or compliance certification tool.
- Some websites block automated requests; those URLs will return an error instead of fake success.
- Header presence does not guarantee that a policy is strong or correctly configured.
Suggested Pay Per Event pricing
Recommended primary event: one checked URL / default dataset item.
Suggested launch price: $0.50 per 1,000 checked URLs plus Apify platform usage costs.
SEO title suggestion
Security Headers Checker API - Bulk HTTP Header Audit
SEO description suggestion
Check public URLs for common HTTP security headers including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.