Pricing

Rating

Developer

Actor stats

Categories

Share

Bulk SSL Certificate & Security Headers Checker (HTTP Probe)

A bulk SSL certificate checker and security headers checker in a single record per URL: TLS certificate and expiry monitoring, security-header grade (A+ through F), HSTS and CSP audit, redirect chain, TTFB, HTTP/2 and HTTP/3 negotiation, and IPv6 reachability. Pure Node, no browser, no proxies.

SSL Certificate Monitoring & Security Headers Features

• TLS certificate capture: issuer, subject, validity window, daysToExpiry, signature algorithm, SAN list, serial number, OCSP stapling.
• Security-header grading modeled after securityheaders.com — A+ / A / B / C / D / F across the standard nine (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP).
• Lists every missing header so you can hand the row to a developer and say "this".
• Full redirect-chain capture (up to 10 hops) with status codes and from/to.
• HTTP/2 detection via ALPN, HTTP/3 detection via the Alt-Svc header.
• Optional IPv6 reachability probe — resolves AAAA, opens a family:6 TLS connection, records the boolean.
• Bare hosts auto-prefix to https://. Duplicates are removed before probing.

Who Uses Site Health Probe Data?

• DevOps and SRE — track SSL expiry windows across portfolios so a forgotten cert never takes a service down.
• Security teams — audit CSP, HSTS, and frame-ancestors posture across thousands of subdomains in one run.
• CI pipelines — fail a build when a deployment regresses on security headers or HTTPS posture.
• Penetration testers — bulk-fingerprint TLS, HTTP/2, HTTP/3, and IPv6 surface area before a deeper engagement.
• Compliance auditors — produce evidence of TLS hygiene across a portfolio without writing a custom probe each quarter.

How HTTP Probe Works

1. Pass in a list of URLs (or bare hosts; they auto-prefix to https://). Duplicates are dropped.
2. For each URL the actor runs a TLS handshake (with ALPN h2 negotiation), then issues an HTTP request — preferring HTTP/2 when negotiated, falling back to HTTP/1.1.
3. If followRedirects is on, every hop is captured and walked up to 10 levels with cycle detection.
4. The header grader checks the configured set, computes the A+ through F grade, and the row also records HTTP/3 (Alt-Svc) and optional IPv6 reachability.

Input

{
"urls":["https://example.com/","https://github.com/","https://cloudflare.com/"],
"maxItems":5,
"followRedirects":true,
"checkHeaders":[
"content-security-policy",
"strict-transport-security",
"x-frame-options",
"x-content-type-options",
"referrer-policy",
"permissions-policy",
"cross-origin-opener-policy",
"cross-origin-embedder-policy",
"cross-origin-resource-policy"
],
"runIPv6":false,
"timeoutSec":15,
"concurrency":25
}

SSL & Security Headers Output Fields

{
"url":"https://cloudflare.com/",
"finalUrl":"https://www.cloudflare.com/",
"status":200,
"redirectChain":["301 https://cloudflare.com/ -> https://www.cloudflare.com/"],
"ttfbMs":142,
"totalMs":487,
"ssl":{
"subject":"Cloudflare, Inc. / cloudflare.com",
"issuer":"Google Trust Services / WE1",
"validFrom":"2026-03-12T20:59:51.000Z",
"validTo":"2026-06-10T21:59:46.000Z",
"daysToExpiry":41,
"sigAlg":"prime256v1",
"sans":["cloudflare.com","*.cloudflare.com"],
"serialNumber":"AABBCC",
"ocspStapling":true
},
"headers":{
"raw":{
"strict-transport-security":"max-age=63072000; includeSubDomains; preload",
"content-security-policy":"default-src 'self'"
},
"missingSecurity":["cross-origin-embedder-policy"],
"gradeApprox":"B"
},
"http2":true,
"http3":true,
"ipv6Reachable":false,
"probedAt":"2026-04-30T12:00:00.000Z",
"error":""
}

Grade rules

• A+ — every wanted header present, HSTS includes preload, HSTS max-age >= 1 year, CSP defined and free of unsafe-inline / unsafe-eval.
• A — every wanted header present, no A+ bonus.
• B — 7-8 of 9 present.
• C — 5-6 present.
• D — 3-4 present.
• F — fewer than 3 present, or no headers received at all.

Pricing

Two events. Basic probes are cheap. Full audits — runIPv6=true AND followRedirects=true AND the full standard nine headers graded — bill at the premium rate because they spend more time on the wire.

Limits

• maxItems caps at 10,000 per run.
• The Apify console tester has a 5-minute timeout — keep maxItems low (default 5) for in-browser testing.
• concurrency caps at 50 to avoid socket exhaustion on the runner.
• TLS handshake timeout is fixed at 8 seconds. HTTP request timeout defaults to 15 s, max 60 s.
• Up to 10 redirects per URL; cycles are detected via the visited-set and short-circuited.
• IPv6 reachability is opt-in. Many runners have IPv6 disabled at the host level — if you need definitive IPv6 results, run on a runner you control.

FAQ

How do I check SSL certificate expiry for many sites at once? Pass your list of URLs and read ssl.daysToExpiry on each output row. One run grades the whole portfolio, so a forgotten cert surfaces before it expires.

Related Actors

• DNS Domain Audit — pair for full DNS + WHOIS + email-auth + TLS posture per domain.
• Sitemap Walker Pro — discover URLs across a site, then probe each one.
• Structured Data Validator Pro — combine for SEO + security audits in the same run.

Need More Features?

Useful queued additions: TLS cipher details, certificate-chain depth, HSTS preload-list lookup, CT-log SCT count, MTA-STS / TLS-RPT, BIMI, CAA enforcement check. File an issue to vote one up.

Why Use SSL & Security Headers Checker?

• One row, full picture — TLS, headers, redirects, HTTP/2/3, IPv6, and timings in a single record. Sortable, filterable, and ready for a dashboard.
• Cheap at scale — $0.002 per basic probe. 10,000 sites for $20 puts the spreadsheet you've been maintaining out of business.
• No browser — pure Node sockets. Faster, cheaper, and less brittle than driving a Chromium for what is, fundamentally, a TLS handshake and a HEAD request.

Built by OrbTop.