Security Headers Validator avatar

Security Headers Validator

Pricing

Pay per usage

Go to Apify Store
Security Headers Validator

Security Headers Validator

Validate security response headers on any public URL: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Per-Header pass/warn/fail with documented fix-hints.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

Nikita S

Nikita S

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

3 days ago

Last modified

Share

Probe any public URL and emit a per-Header pass/warn/fail row with the observed value, expected value, and a one-line fixHint. Covers the six security response headers every webops/devops team should audit:

  • Strict-Transport-Security (HSTS): max-age >= 15552000, includeSubDomains recommended.
  • Content-Security-Policy (CSP): default-src present; script-src must not allow 'unsafe-inline', 'unsafe-eval', or *.
  • X-Frame-Options: DENY or SAMEORIGIN; ALLOW-FROM is deprecated.
  • X-Content-Type-Options: must be exactly nosniff.
  • Referrer-Policy: strict-origin-when-cross-origin or stricter; unsafe-url and no-referrer-when-downgrade flagged.
  • Permissions-Policy: camera, microphone, geolocation disabled by default.

A SUMMARY record per run gives per-URL pass/warn/fail counts and a 0–100 score.

Quick start

{
"urls": ["https://apify.com", "https://example.com"]
}

Output: one row per (url, header) pair with status, observed, expected, fixHint. SUMMARY: per-URL score and counts.

Why this Actor

  • Per-Header, not score-aggregated. Every check returns its own row so you can grep/filter the dataset on a single header (e.g. find every URL whose content-security-policy allows 'unsafe-inline').
  • Documented fix-hints. Every fail/warn row includes a one-line fixHint string you can paste into a remediation ticket.
  • Pairs with the url-safety-prober Actor (RDAP + TLS) and the http-status-batch Actor (status + redirect chain). Feed the same URL list into all three for a complete first-pass security audit.
  • Pure Node, no headless Chrome, no auth, no scraping beyond a single public GET. Works on any HTTP/HTTPS endpoint.

Limits

  • This Actor only validates response headers. It does not probe for CORS misconfigurations, cookie flags, or TLS issues (use url-safety-prober for TLS).
  • The check for CSP focuses on default-src + script-src no-unsafe-inline/no-*. It does not lint every CSP directive (e.g. frame-ancestors, base-uri, form-action).
  • The permissions-policy check verifies the three most-leaked sensitive features (camera, microphone, geolocation). Other features (payment, USB, etc.) are not yet covered.

Pricing

payPerEvent: 0 (free) by default. To charge per check, add Actor.charge({ eventName: 'header_check', count }) and configure Pay Per Event.

Run locally

echo '{"urls":["https://apify.com"]}' > input.json
npm start -- --input-file input.json

Tests

$npm test

20 unit tests cover all six header checks, the score formula, and case-insensitive header matching.

Support

Open an issue on the Apify Actor page. Custom CSP/header audits (e.g. PCI-DSS profiles) are available on request.