Pricing

from $7.00 / 1,000 results

🛡️ Security Headers Checker

Audit HTTP security headers in bulk across hundreds of websites. Extract OWASP compliance grades and detect missing HSTS or CSP directives instantly.

Pricing

from $7.00 / 1,000 results

Rating

0.0

(0)

Developer

太郎山田

Actor stats

Bookmarked

Total users

Monthly active users

6 days ago

Last modified

Security Headers Checker API | OWASP Audit

Audit HTTP responses across hundreds of target websites instantly using this high-performance security headers checker. Engineering and DevSecOps teams rely on this solution to extract critical security header data and automatically assess their web infrastructure against strict OWASP guidelines. Instead of relying on manual browser checks or building custom scrapers, you can schedule weekly bulk audits to continuously monitor your corporate portfolio for server configuration regressions. By feeding it a list of URLs, the auditor visits each website, analyzes the HTTP headers, and grades every response on a precise 0-100 scale. It assigns a clear A-F score while pinpointing critical missing directives such as HSTS, Content-Security-Policy, X-Content-Type-Options, and X-Frame-Options. Security researchers utilize these structured JSON results to track compliance score changes over time and integrate alerts directly into CI/CD pipelines to warn developers immediately when a new vulnerability is introduced into the environment. Whether you are aiming to improve site trust for SEO or enforcing strict pipeline compliance, every run outputs exact fix recommendations, the overall security grade, and a complete breakdown of successful and failed header checks. Run the tool to scrape compliance details and export data seamlessly.

Store Quickstart

Start with store-input.example.json to validate grading and output shape on three known URLs.
If that matches your workflow, switch to store-input.templates.json and pick one of:
- Quickstart (Dataset) for a cheap first run
- Batch Audit for broader site portfolios
- Weekly Compliance Monitor for recurring audits with snapshots
- Webhook Alert for automated compliance notifications

Key Features

🛡️ 10 OWASP headers checked — HSTS, CSP, X-Frame-Options, Referrer-Policy, and more
📊 Security scoring — 0-100 with A-F grade per site
💡 Fix recommendations — Exact header values to add (e.g., Strict-Transport-Security: max-age=31536000)
🔄 Change tracking — Detects grade/score changes between runs
📋 Bulk processing — Check up to 200 URLs per run
🪝 Webhook + CI/CD — Use in security pipelines

Use Cases

Who	Why
Developers	Automate recurring data fetches without building custom scrapers
Data teams	Pipe structured output into analytics warehouses
Ops teams	Monitor changes via webhook alerts
Product managers	Track competitor/market signals without engineering time

Input

Field	Type	Default	Description
urls	array	prefilled	List of URLs to audit security headers for. Maximum 200 per run.
followRedirects	boolean	`true`	Follow HTTP redirects and check the final URL's headers.
delivery	string	`"dataset"`	How to deliver results. 'dataset' saves to Apify Dataset (recommended), 'webhook' sends to a URL.
webhookUrl	string	—	Webhook URL to send results to (only used when delivery is 'webhook'). Works with Slack, Discord, or any HTTP endpoint.
snapshotKey	string	`"security-headers-snapshots"`	Key name for storing snapshots (used for change detection between runs).
concurrency	integer	`5`	Maximum number of parallel requests. Higher = faster but may trigger rate limits.
dryRun	boolean	`false`	If true, runs without saving results or sending webhooks. Useful for testing.

Input Example

{
  "urls": ["https://google.com", "https://github.com", "https://example.com"],
  "followRedirects": true,
  "concurrency": 5
}

Output

Field	Type	Description
`meta`	object
`results`	array
`results[].url`	string (url)
`results[].finalUrl`	string (url)
`results[].statusCode`	number
`results[].headers`	object
`results[].score`	object
`results[].changes`	array
`results[].error`	null
`results[].checkedAt`	timestamp

Output Example

{
  "url": "https://github.com",
  "score": { "total": 75, "grade": "B" },
  "statusCode": 200,
  "headers": {
    "strict-transport-security": "max-age=31536000; includeSubdomains; preload",
    "x-frame-options": "deny",
    "x-content-type-options": "nosniff"
  },
  "score": {
    "total": 75,
    "grade": "B",
    "details": [
      { "header": "strict-transport-security", "status": "pass", "points": 20 },
      { "header": "content-security-policy", "status": "missing", "points": 0, "note": "Missing. Add a Content-Security-Policy header" }
    ]
  }
}

API Usage

Run this actor programmatically using the Apify API. Replace YOUR_API_TOKEN with your token from Apify Console → Settings → Integrations.

cURL

curl -X POST "https://api.apify.com/v2/acts/taroyamada~security-headers-checker/run-sync-get-dataset-items?token=YOUR_API_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ "urls": ["https://google.com", "https://github.com", "https://example.com"], "followRedirects": true, "concurrency": 5 }'

Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("taroyamada/security-headers-checker").call(run_input={
  "urls": ["https://google.com", "https://github.com", "https://example.com"],
  "followRedirects": true,
  "concurrency": 5
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

JavaScript / Node.js

import { ApifyClient } from 'apify-client';

const client = new ApifyClient({ token: 'YOUR_API_TOKEN' });
const run = await client.actor('taroyamada/security-headers-checker').call({
  "urls": ["https://google.com", "https://github.com", "https://example.com"],
  "followRedirects": true,
  "concurrency": 5
});

const { items } = await client.dataset(run.defaultDatasetId).listItems();
console.log(items);

Tips & Limitations

Schedule weekly runs against your production domains to catch config drift.
Use webhook delivery to pipe findings into your SIEM (Splunk, Datadog, Elastic).
For CI integration, block releases on critical severity findings using exit codes.
Combine with ssl-certificate-monitor for layered cert + headers coverage.
Findings include links to official remediation docs — share with dev teams via the webhook payload.

FAQ

Is running this against a third-party site legal?

Passive public-header scanning is generally permitted, but follow your own compliance policies. Only scan sites you have authorization for.

How often should I scan?

Weekly for production domains; daily if you have high config-change velocity.

Can I export to a compliance tool?

Use webhook delivery or Dataset API — formats map well to Drata, Vanta, OneTrust import templates.

Is this a penetration test?

No — this actor performs passive compliance scanning only. No exploitation, fuzzing, or auth bypass.

Does this qualify as a SOC2 control?

This actor produces evidence artifacts suitable for SOC2 CC7.1 (continuous monitoring). It is not itself a SOC2 certification.

Security & Compliance cluster — explore related Apify tools:

Privacy & Cookie Compliance Scanner | GDPR / CCPA Banner Audit — Scan public privacy pages and cookie banners for GDPR/CCPA compliance signals.
SSL Certificate Monitor API | Expiry + Issuer Changes — Check SSL/TLS certificates in bulk, detect expiry and issuer changes, and emit alert-ready rows for ops and SEO teams.
DNS / SPF / DKIM / DMARC Audit API — Bulk-audit domains for SPF, DKIM, DMARC, MX, and email-auth posture with grades and fix-ready recommendations.
robots.txt AI Policy Monitor | GPTBot ClaudeBot — Detect GPTBot, ClaudeBot, Google-Extended, and other AI crawler policies in robots.
Data Breach Disclosure Monitor | HIPAA Breach Watch — Monitor the HHS OCR Breach Portal for new HIPAA data breach disclosures.
WCAG Accessibility Checker API | ADA & EAA Compliance Audit — Audit websites for WCAG 2.
📜 Open-Source License & Dependency Audit API — Audit npm packages for license risk, dependency depth, maintainer activity, and compliance posture.
Trust Center & Subprocessor Monitor API — Monitor vendor trust centers, subprocessor lists, DPA updates, and security posture changes.

Cost

Pay Per Event:

actor-start: $0.01 (flat fee per run)
dataset-item: $0.003 per output item

Example: 1,000 items = $0.01 + (1,000 × $0.003) = $3.01

No subscription required — you only pay for what you use.

⭐ Was this helpful?

If this actor saved you time, please leave a ★ rating on Apify Store. It takes 10 seconds, helps other developers discover it, and keeps updates free.

Bug report or feature request? Open an issue on the Issues tab of this actor.

Security Headers Checker

pillowy_travel/security-headers-checker

Analyze HTTP security headers of websites and generate a security score. Detect missing headers like CSP, HSTS, X-Frame-Options, and more. Perfect for web security audits, vulnerability checks, learning, and automated monitoring.

SAHIL KUMAR

HTTP Security Headers Analyzer

andok/security-headers-analyzer

Audit HTTP response headers (CSP, HSTS, X-Frame-Options) to verify web application security and compliance standards.

Andok

HTTP Headers Security Checker

automation-lab/http-headers-security-checker

This actor checks 12 HTTP security headers for any list of websites and produces a security grade with actionable findings. It identifies missing headers, weak configurations, and provides specific recommendations. Use it for security audits, compliance checks, or monitoring your web...

Stas Persiianenko

Security Headers Checker - HTTP Security Audit

pink_comic/security-headers-checker

HTTP security header audit for HSTS, CSP, X-Frame-Options, and more. Grade your website security posture against best practices. For penetration testing, compliance checks, and web hardening. No API key required.

Ava Torres

Security Headers Checker — OWASP Audit & Grading

accurate_pouch/security-headers

Audit 12 HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP). A-F grading, actionable recommendations. 5 URLs free.

Manchitt Sanan

HTTP Security Headers Audit

mbeato/apimesh-security-headers

Audit 10 HTTP security headers with A+ to F grading. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.

Maximus Beato

HTTP Headers Data Scraper - BuiltWith Alternative

fatihai-tools/http-headers-checker

Check data from HTTP Headers fast. Bulk URL or query input, structured JSON/CSV output, no login required. Free trial — perfect alternative to BuiltWith, SecurityHeaders. Use for lead generation, market research, competitive analysis.

fatih dağüstü

Security Headers Checker - Audit CSP, HSTS, XFO and more

scrappy_garden/security-headers-checker

Check common HTTP security headers for one or more URLs (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP). Useful for quick security hardening audits.

Bikram Adhikari

Website Security & Vulnerability Audit

smart-digital/website-security-vulnerability-audit

Automated security and vulnerability audit for websites. Detects WordPress plugin vulnerabilities, checks for updates, analyzes SSL/TLS, security headers, and CMS security

My Smart Digital

5.0

Http Header Inspector

zerobreak/http-header-inspector

HTTP header inspector that pulls response headers from any URL, scores them for security gaps, and flags missing CSP, HSTS, and X-Frame-Options, so teams can audit caching, redirects, and server config without running curl.