HTTP Security Headers Analyzer

Pricing

$1.00 / 1,000 url scans

Try for free

Go to Apify Store

👁 HTTP Security Headers Analyzer

HTTP Security Headers Analyzer

Try for free

Audit HTTP response headers (CSP, HSTS, X-Frame-Options) to verify web application security and compliance standards.

Pricing

$1.00 / 1,000 url scans

Rating

0.0

(0)

Developer

👁 Andok

Andok

Maintained by Community

Actor stats

Bookmarked

Total users

Monthly active users

3 months ago

Last modified

Security Headers Analyzer

Audit HTTP security headers against OWASP best practices across hundreds of URLs in a single run. Missing headers like HSTS, CSP, and X-Frame-Options are the most common findings in penetration tests — yet most teams only discover them after an incident. Scan your entire domain inventory in minutes with automatic grading from A to F.

Features

OWASP header checks — validates HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, and COEP
Automatic grading — assigns a score (0-100) and letter grade (A-F) based on header coverage and configuration quality
Actionable warnings — flags weak configurations like unsafe-inline in CSP or missing max-age in HSTS
Bulk processing — scan hundreds of URLs concurrently in a single run
Redirect-aware — optionally follows redirects and reports the full redirect chain
Flexible HTTP method — use HEAD for speed or GET for servers that block HEAD requests

Input

Field	Type	Required	Default	Description
`urls`	`array`	No	`["https://google.com"]`	List of URLs to analyze for security headers
`url`	`string`	No	—	Single URL to analyze (use `urls` for bulk scanning)
`method`	`string`	No	`HEAD`	HTTP method to use. HEAD is faster; switch to GET if a server blocks HEAD requests
`followRedirects`	`boolean`	No	`true`	Whether to follow HTTP redirects before analyzing headers
`maxRedirects`	`integer`	No	`5`	Maximum number of redirects to follow per URL (0-20)
`timeoutSeconds`	`integer`	No	`15`	Request timeout per URL in seconds (1-120)
`concurrency`	`integer`	No	`5`	Number of URLs to process in parallel (1-25)

Input Example

{
"urls":[
"https://google.com",
"https://github.com",
"https://example.com"
],
"method":"HEAD",
"followRedirects":true,
"concurrency":10
}

Output

Each URL produces one dataset record containing the security grade, score, list of missing and misconfigured headers, and all response headers for reference.

Key output fields:

inputUrl (string) — the URL as submitted
finalUrl (string) — the URL after redirects (if followed)
status (number) — HTTP status code
grade (string) — letter grade from A (excellent) to F (critical gaps)
score (number) — numeric score from 0 to 100
missing (array) — list of required headers that are absent
warnings (array) — list of configuration issues found
headers (object) — all response headers (lower-cased keys)
redirects (array) — redirect chain traversed
checkedAt (string) — ISO 8601 timestamp

Output Example

{
"inputUrl":"https://github.com",
"finalUrl":"https://github.com/",
"status":200,
"grade":"B",
"score":80,
"missing":[
"Referrer-Policy"
],
"warnings":[
"Missing Permissions-Policy.",
"Missing Cross-Origin-Opener-Policy (COOP).",
"Missing Cross-Origin-Resource-Policy (CORP).",
"Missing Cross-Origin-Embedder-Policy (COEP)."
],
"headers":{
"strict-transport-security":"max-age=31536000; includeSubdomains; preload",
"content-security-policy":"default-src 'none'; base-uri 'self'; ...",
"x-frame-options":"deny",
"x-content-type-options":"nosniff"
},
"redirects":["https://github.com/"],
"checkedAt":"2026-03-09T12:00:00.000Z"
}

Pricing

Event	Cost
URL Scan	$0.001

Pay only for URLs successfully scanned. Respects your per-run spending limit.

Use Cases

Penetration test prep — pre-scan client domains to identify missing security headers before a full engagement
Compliance audits — verify OWASP header requirements across all production endpoints for SOC 2 or ISO 27001
DevOps CI/CD checks — schedule regular scans to catch header regressions after deployments
Agency security reports — generate client-ready security grades for website portfolios
M&A due diligence — quickly assess the security posture of acquisition targets

Related Actors

Actor	What it adds
SSL Cipher Checker	Audit TLS cipher suites and protocol versions alongside header analysis
SSL Certificate Monitor	Monitor certificate expiry dates to complement header-level security checks
Tech Stack Analyzer	Identify the CMS, frameworks, and CDNs behind each scanned URL

👁 Security Headers Checker avatar

Security Headers Checker

pillowy_travel/security-headers-checker

Analyze HTTP security headers of websites and generate a security score. Detect missing headers like CSP, HSTS, X-Frame-Options, and more. Perfect for web security audits, vulnerability checks, learning, and automated monitoring.

👁 User avatar

SAHIL KUMAR

HTTP Security Headers Audit

mbeato/apimesh-security-headers

Audit 10 HTTP security headers with A+ to F grading. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more.

👁 User avatar

Maximus Beato

Security Headers Checker API - HTTP Security Scanner

pink_comic/security-headers-checker

Security Headers Checker API for bulk HTTP security scans. Audit HSTS, CSP, X-Frame-Options, referrer and permissions policies, missing headers, website hardening gaps, and compliance posture. Returns grades, findings, and header evidence for security audits.

👁 User avatar

Ava Torres

👁 🛡️ Security Headers Checker avatar

🛡️ Security Headers Checker

taroyamada/security-headers-checker

Audit HTTP security headers in bulk across hundreds of websites. Extract OWASP compliance grades and detect missing HSTS or CSP directives instantly.

👁 User avatar

naoki anzai

Security Headers Checker - Audit CSP, HSTS, XFO and more

scrappy_garden/security-headers-checker

Check common HTTP security headers for one or more URLs (Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP). Useful for quick security hardening audits.

👁 User avatar

Bikram Adhikari

👁 Security Headers Checker — OWASP Audit & Grading avatar

Security Headers Checker — OWASP Audit & Grading

accurate_pouch/security-headers

Audit 12 HTTP security headers (HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP). A-F grading, actionable recommendations. 5 URLs free.

👁 User avatar

Manchitt Sanan

👁 Http Header Inspector avatar

Http Header Inspector

zerobreak/http-header-inspector

HTTP header inspector that pulls response headers from any URL, scores them for security gaps, and flags missing CSP, HSTS, and X-Frame-Options, so teams can audit caching, redirects, and server config without running curl.

👁 User avatar

ZeroBreak

👁 HTTP Probe -- TLS, Security Headers, Redirects avatar

HTTP Probe -- TLS, Security Headers, Redirects

jungle_synthesizer/ssl-security-headers-checker

Bulk site-health probe: TLS certificate, security-header grading (CSP, HSTS, X-Frame-Options, Permissions-Policy + 5 others, A/B/C/D/F grade), redirect chain, TTFB, HTTP/2 + HTTP/3, IPv6 reachability. Built for devops, security, and CI pipelines.

👁 User avatar

BowTiedRaccoon

Public Security Headers & Cookie Surface Audit Agent

jacksu/public-security-headers-audit-agent

Audit public HTTP response security headers, HTTPS redirect behavior, and cookie attribute exposure without scanning, attacking, or storing cookie values.

👁 User avatar

jack su

👁 Website Security & Vulnerability Audit avatar

Website Security & Vulnerability Audit

smart-digital/website-security-vulnerability-audit

Automated security and vulnerability audit for websites. Detects WordPress plugin vulnerabilities, checks for updates, analyzes SSL/TLS, security headers, and CMS security

My Smart Digital

5.0

👁 Blog article image

How to send HTTP headers with cURL

👁 Blog article image

HTTP headers with Axios: a comprehensive guide

URL: https://apify.com/andok/security-headers-analyzer