Security Headers Validator
Pricing
Pay per usage
Security Headers Validator
Validate security response headers on any public URL: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Per-Header pass/warn/fail with documented fix-hints.
Pricing
Pay per usage
Rating
0.0
(0)
Developer
Nikita S
Maintained by CommunityActor stats
0
Bookmarked
2
Total users
1
Monthly active users
3 days ago
Last modified
Categories
Share
Probe any public URL and emit a per-Header pass/warn/fail row with the observed value, expected value, and a one-line fixHint. Covers the six security response headers every webops/devops team should audit:
Strict-Transport-Security(HSTS):max-age >= 15552000,includeSubDomainsrecommended.Content-Security-Policy(CSP):default-srcpresent;script-srcmust not allow'unsafe-inline','unsafe-eval', or*.X-Frame-Options:DENYorSAMEORIGIN;ALLOW-FROMis deprecated.X-Content-Type-Options: must be exactlynosniff.Referrer-Policy:strict-origin-when-cross-originor stricter;unsafe-urlandno-referrer-when-downgradeflagged.Permissions-Policy:camera,microphone,geolocationdisabled by default.
A SUMMARY record per run gives per-URL pass/warn/fail counts and a 0–100 score.
Quick start
{"urls": ["https://apify.com", "https://example.com"]}
Output: one row per (url, header) pair with status, observed, expected, fixHint. SUMMARY: per-URL score and counts.
Why this Actor
- Per-Header, not score-aggregated. Every check returns its own row so you can grep/filter the dataset on a single header (e.g. find every URL whose
content-security-policyallows'unsafe-inline'). - Documented fix-hints. Every
fail/warnrow includes a one-linefixHintstring you can paste into a remediation ticket. - Pairs with the
url-safety-proberActor (RDAP + TLS) and thehttp-status-batchActor (status + redirect chain). Feed the same URL list into all three for a complete first-pass security audit. - Pure Node, no headless Chrome, no auth, no scraping beyond a single public GET. Works on any HTTP/HTTPS endpoint.
Limits
- This Actor only validates response headers. It does not probe for CORS misconfigurations, cookie flags, or TLS issues (use
url-safety-proberfor TLS). - The check for CSP focuses on
default-src+script-srcno-unsafe-inline/no-*. It does not lint every CSP directive (e.g.frame-ancestors,base-uri,form-action). - The
permissions-policycheck verifies the three most-leaked sensitive features (camera,microphone,geolocation). Other features (payment, USB, etc.) are not yet covered.
Pricing
payPerEvent: 0 (free) by default. To charge per check, add Actor.charge({ eventName: 'header_check', count }) and configure Pay Per Event.
Run locally
echo '{"urls":["https://apify.com"]}' > input.jsonnpm start -- --input-file input.json
Tests
$npm test
20 unit tests cover all six header checks, the score formula, and case-insensitive header matching.
Support
Open an issue on the Apify Actor page. Custom CSP/header audits (e.g. PCI-DSS profiles) are available on request.