Pricing

from $7.00 / 1,000 results

Go to Apify Store

Security Headers Checker API | OWASP Audit

Try for free

Audit OWASP security headers in bulk, grade each site, and monitor header drift across client or product portfolios.

Pricing

from $7.00 / 1,000 results

Rating

0.0

(0)

Developer

太郎山田

Actor stats

Bookmarked

Total users

Monthly active users

6 days ago

Last modified

Store Quickstart

Start with store-input.example.json to validate grading and output shape on three known URLs.
If that matches your workflow, switch to store-input.templates.json and pick one of:
- Quickstart (Dataset) for a cheap first run
- Batch Audit for broader site portfolios
- Weekly Compliance Monitor for recurring audits with snapshots
- Webhook Alert for automated compliance notifications

The Store example keeps the first run small and deterministic while still returning the full scoring structure.

Who gets value fastest?

Team	Why
Security teams	Catch header regressions before or after releases
Agencies / MSPs	Audit many client sites on a repeatable schedule
Platform teams	Track hardened baselines across product domains

What does this actor do?

Sends a simple HTTP HEAD request to each URL and evaluates 10 OWASP-recommended security headers. Each site gets a score (0-100) and grade (A-F) with actionable fix suggestions.

Key Features

🛡️ 10 OWASP headers checked — HSTS, CSP, X-Frame-Options, Referrer-Policy, and more
📊 Security scoring — 0-100 with A-F grade per site
💡 Fix recommendations — Exact header values to add (e.g., Strict-Transport-Security: max-age=31536000)
🔄 Change tracking — Detects grade/score changes between runs
📋 Bulk processing — Check up to 200 URLs per run
🪝 Webhook + CI/CD — Use in security pipelines

Suggested recurring monitoring cadence

Weekly portfolio sweeps using snapshotKey to track score drift
Release-day checks on staging or production domains before rollout sign-off
Webhook delivery for only the domains that regress and need action

Pair with dns-dmarc-security-checker for domain-level email security posture
Pair with ssl-certificate-monitor for expiry and issuer monitoring
Use the trio as a recurring compliance workflow for client or internal portfolios

Headers Checked

Header	Weight	Why It Matters
Strict-Transport-Security (HSTS)	20	Forces HTTPS
Content-Security-Policy (CSP)	20	Prevents XSS
X-Content-Type-Options	10	Prevents MIME sniffing
X-Frame-Options	10	Prevents clickjacking
Referrer-Policy	10	Controls referrer leakage
Permissions-Policy	10	Restricts browser features
X-XSS-Protection	5	Legacy XSS filter
Cross-Origin-Opener-Policy	5	Isolates browsing context
Cross-Origin-Resource-Policy	5	Controls resource sharing
X-DNS-Prefetch-Control	5	Controls DNS prefetching

Input Example

{
  "urls": ["https://google.com", "https://github.com", "https://example.com"],
  "followRedirects": true,
  "concurrency": 5
}

Output Example

{
  "url": "https://github.com",
  "score": { "total": 75, "grade": "B" },
  "statusCode": 200,
  "headers": {
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "x-frame-options": "deny",
    "x-content-type-options": "nosniff"
  },
  "score": {
    "total": 75,
    "grade": "B",
    "details": [
      { "header": "strict-transport-security", "status": "pass", "points": 20 },
      { "header": "content-security-policy", "status": "missing", "points": 0, "note": "Missing. Add a Content-Security-Policy header" }
    ]
  }
}

A fuller ready-to-share payload is available in sample-output.example.json for Store and README proof.

Cost

Zero external costs. Simple HTTP HEAD requests — no API keys, no proxies. A run checking 100 URLs takes ~15 seconds.

Store Listing Ops

npm run store:optimize
npm run store:kpi

Commercial Ops

Set up .env first:

$cp -n .env.example .env

Cloud Task/Schedule setup (idempotent):

$npm run apify:cloud:setup

Daily reliability checks:

npm run canary:check
npm run contract:test:live

OpenClaw cron commands:

openclaw-cron-commands.md

dns-dmarc-security-checker — add DNS, SPF, DKIM, and DMARC checks for the same client/domain set.
ssl-certificate-monitor — catch TLS expiry and issuer drift on the same sites.
rdap-domain-monitor — track registrar and ownership changes behind the same web properties.

Security Headers Checker

pillowy_travel/security-headers-checker

Analyze HTTP security headers of websites and generate a security score. Detect missing headers like CSP, HSTS, X-Frame-Options, and more. Perfect for web security audits, vulnerability checks, learning, and automated monitoring.

SAHIL KUMAR

HTTP Headers Security Checker

automation-lab/http-headers-security-checker

This actor checks 12 HTTP security headers for any list of websites and produces a security grade with actionable findings. It identifies missing headers, weak configurations, and provides specific recommendations. Use it for security audits, compliance checks, or monitoring your web...

Stas Persiianenko

Website Security & Vulnerability Audit

smart-digital/website-security-vulnerability-audit

Automated security and vulnerability audit for websites. Detects WordPress plugin vulnerabilities, checks for updates, analyzes SSL/TLS, security headers, and CMS security

My Smart Digital

5.0

HTTP Security Headers Analyzer

andok/security-headers-analyzer

Audit HTTP response headers (CSP, HSTS, X-Frame-Options) to verify web application security and compliance standards.

Andok

Security Headers Checker - Audit CSP, HSTS, XFO and more

scrappy_garden/security-headers-checker

Check common HTTP security headers for one or more URLs (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP). Useful for quick security hardening audits.

Bikram Adhikari

Http Header Inspector

zerobreak/http-header-inspector

HTTP header inspector that pulls response headers from any URL, scores them for security gaps, and flags missing CSP, HSTS, and X-Frame-Options, so teams can audit caching, redirects, and server config without running curl.

ZeroBreak

CORS Policy Checker - Audit Access-Control-* headers

scrappy_garden/cors-policy-checker

Check CORS response headers (Access-Control-Allow-Origin, -Credentials, -Methods, -Headers, -Expose-Headers, -Max-Age, Vary: Origin) for one or more URLs. Optionally performs a preflight OPTIONS check. Useful for debugging browser/API integrations and spotting risky CORS misconfigurations.

Bikram Adhikari

HSTS Header Checker - Strict-Transport-Security audit

scrappy_garden/hsts-header-checker

Fetches URLs and validates the Strict-Transport-Security (HSTS) response header. Parses directives (max-age/includeSubDomains/preload), flags missing/invalid configuration, and checks common best practices. Outputs per-URL results plus SUMMARY and REPORT.

Bikram Adhikari

DNS / SPF / DKIM / DMARC Audit API

taroyamada/dns-dmarc-security-checker

Audit SPF, DKIM, DMARC, and MX in bulk with grades, fix-ready recommendations, and recurring email-security monitoring.

太郎山田

Security.txt Checker

automation-lab/security-txt-checker

This actor checks websites for a security.txt file as defined by RFC 9116. It looks in `/.well-known/security.txt` and `/security.txt`, parses contact information, encryption keys, expiration dates, and validates compliance with the standard.

Stas Persiianenko