Security Headers Checker avatar

Security Headers Checker

Pricing

$0.50 / 1,000 checked urls

Go to Apify Store
Security Headers Checker

Security Headers Checker

Check public URLs for common HTTP security headers including HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy. Export a simple website security header report as JSON or CSV.

Pricing

$0.50 / 1,000 checked urls

Rating

0.0

(0)

Developer

mohamed senator

mohamed senator

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Share

Audit public URLs for common HTTP security headers. This Apify Actor checks whether each URL uses HTTPS and whether the final response includes headers such as HSTS, Content Security Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.

What does this Actor do?

Security Headers Checker helps website owners, agencies, developers, and no-code operators run quick security-header QA checks across a list of public URLs. It is useful before launches, after migrations, or as a recurring lightweight website health check.

The Actor uses only public URLs that you provide. It does not log in, bypass CAPTCHA, scan private networks, exploit vulnerabilities, or perform penetration testing.

Typical use cases

  • Check client websites for missing security headers
  • Verify HTTPS and HSTS after a migration
  • Audit landing pages before a campaign launch
  • Export a simple security header report to CSV or JSON
  • Monitor important public URLs on a schedule

Input

Add public http:// or https:// URLs. Local, private-network, malformed, FTP, and non-HTTP URLs are rejected.

{
"startUrls": [
{ "url": "https://example.com" },
{ "url": "https://www.iana.org" }
],
"maxResults": 100,
"requestTimeoutSecs": 20
}

Output

Each checked URL is saved as one item in the Apify Dataset.

FieldMeaning
originalUrlURL you provided
finalUrlFinal URL after redirects
statusCodeFinal HTTP status code
oktrue for successful 2xx/3xx final status without request error
usesHttpsWhether the final URL uses HTTPS
strictTransportSecurityValue of Strict-Transport-Security if present
contentSecurityPolicyValue of Content-Security-Policy if present
xFrameOptionsValue of X-Frame-Options if present
xContentTypeOptionsValue of X-Content-Type-Options if present
referrerPolicyValue of Referrer-Policy if present
permissionsPolicyValue of Permissions-Policy if present
missingHeadersCommon security headers not found
scoreSimple 0–100 score based on present headers
errorClear error message if the URL could not be checked
checkedAtISO timestamp of the check

Example output

{
"originalUrl": "https://example.com/",
"finalUrl": "https://example.com/",
"statusCode": 200,
"ok": true,
"usesHttps": true,
"strictTransportSecurity": null,
"contentSecurityPolicy": null,
"xFrameOptions": null,
"xContentTypeOptions": "nosniff",
"referrerPolicy": null,
"permissionsPolicy": null,
"missingHeaders": ["strict-transport-security", "content-security-policy"],
"score": 17,
"error": null,
"checkedAt": "2026-07-04T00:00:00.000Z"
}

Limitations

  • This Actor checks public response headers only.
  • It is not a penetration test, vulnerability scanner, or compliance certification tool.
  • Some websites block automated requests; those URLs will return an error instead of fake success.
  • Header presence does not guarantee that a policy is strong or correctly configured.

Suggested Pay Per Event pricing

Recommended primary event: one checked URL / default dataset item.

Suggested launch price: $0.50 per 1,000 checked URLs plus Apify platform usage costs.

SEO title suggestion

Security Headers Checker API - Bulk HTTP Header Audit

SEO description suggestion

Check public URLs for common HTTP security headers including HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.