VOOZH about

URL: https://apify.com/pattonholdings/security-headers-scanner

โ‡ฑ Security Headers Scanner ยท Apify

Pricing

Pay per usage

Go to Apify Store

Security Headers Scanner

Grade any website's HTTP security headers โ€” letter grade (A+ to F), severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx, Apache, Express, and Cloudflare. Port of the 33-user Chrome extension to a programmatic API.

Pricing

Pay per usage

Rating

0.0

(0)

Developer

๐Ÿ‘ Coleton Patton

Coleton Patton

Maintained by Community

Actor stats

0

Bookmarked

2

Total users

1

Monthly active users

2 days ago

Last modified

Categories

Share

Grade any website's HTTP security headers โ€” letter grade A+ to F, severity breakdown, per-header pass/weak/missing status, and copy-paste config snippets for Nginx / Apache / Express / Cloudflare.

Direct port of the Security Headers Chrome extension (33 active users, organic CWS traction with zero marketing). Same evaluator logic, same scoring, same letter grade.

Use cases

  • Pre-launch security audit โ€” grade a staging site before going live
  • Compliance dashboards โ€” feed grades into your SOC2 / ISO27001 evidence pipeline
  • Vendor security review โ€” score third-party services your stack depends on
  • Hosting provider QA โ€” check that your edge config actually shipped the headers you configured

Input

{
"url":"https://example.com"
}

Or batch mode:

{
"urls":[
"https://example.com",
"https://stripe.com",
"https://github.com"
]
}

Max 1000 URLs per run.

Output (per URL)

{
"url":"https://example.com",
"finalUrl":"https://example.com",
"httpStatus":200,
"grade":"B",
"percentage":74,
"score":67,
"maxScore":90,
"criticalIssues":1,
"importantIssues":1,
"optionalIssues":0,
"headers":[
{
"name":"Content-Security-Policy",
"status":"weak",
"value":"script-src 'self' 'unsafe-inline'",
"severity":"critical",
"deprecated":false,
"recommendation":"Set a restrictive policy..."
}
/* ... 9 more ... */
],
"rawHeaders":{"...":"..."},
"plainTextReport":"Security Headers Report\nURL: ...",
"scannedAt":"2026-05-15T22:00:00.000Z",
"scannerVersion":"1.3.0"
}

Headers checked

Ten security-relevant HTTP response headers:

HeaderSeverityWeight
Content-Security-Policycritical15
Strict-Transport-Securitycritical15
X-Content-Type-Optionsimportant10
X-Frame-Optionscritical10
Referrer-Policyimportant8
Permissions-Policyimportant8
Cross-Origin-Opener-Policyoptional7
Cross-Origin-Resource-Policyoptional7
Cross-Origin-Embedder-Policyoptional7
X-XSS-Protection (deprecated)optional3

Grading

  • A+ (95-100%) โ€” top-tier, exceeds best practices
  • A (85-94%) โ€” strong, minor gaps
  • B (70-84%) โ€” adequate, weak in 2-3 areas
  • C (55-69%) โ€” incomplete, multiple missing headers
  • D (40-54%) โ€” significant gaps
  • F (< 40%) โ€” no meaningful security headers

Evaluator strictness (v1.3.0)

This version uses the strict evaluators that match Mozilla Observatory and securityheaders.com baselines:

  • Content-Security-Policy with 'unsafe-inline' OR 'unsafe-eval' โ†’ weak
  • Referrer-Policy values outside the strict allowlist (e.g. origin, no-referrer-when-downgrade) โ†’ weak
  • Permissions-Policy with any wildcard * directive โ†’ weak

Earlier scanner versions were more lenient. If you're comparing against scans from before May 2026, expect some grades to drop โ€” these are corrections, not regressions in your security posture.

Pricing

  • Free tier: 100 scans/month
  • Standard: $0.005 per URL scanned
  • Subscription: $19/month for 10,000 scans

Author

Built and maintained by Peak Post. Open source code at peakpost.ca.

You might also like

Website Tech Stack Detector โ€” 100+ Technologies

ryanclinton/website-tech-stack-detector

Identify the technologies, frameworks, and services running on any website. Website Tech Stack Detector crawls one or more URLs, inspects HTTP headers, HTML meta tags, script sources, and body content, then matches them against a fingerprint database of 106 web technologies across 17 categories.

32

Bug Bounty Recon Scanner

iamuendo/Bug-Bounty-Recon-Scanner

Find exposed admin panels, missing/weak security headers, sensitive file leaks, and HTTPS misconfigurations across target domains. Export prioritised risk scores and JSON reports. Run via API, schedule scans, or integrate with bug bounty tools.

21

Free Domain Technology Stack Scanner

s-r/free-domain-technology-stack-scanner

Detect the complete technology stack of any website. Identifies ecommerce platforms (Shopify, WooCommerce, Magento), CMS (WordPress, Contentful), JS frameworks (React, Next.js, Vue), analytics (GA4, GTM), payment providers (Stripe, PayPal, Klarna), hosting/CDN, SSL certificates.

๐Ÿ›ก๏ธ Security Headers Checker

taroyamada/security-headers-checker

Audit HTTP security headers in bulk across hundreds of websites. Extract OWASP compliance grades and detect missing HSTS or CSP directives instantly.

OSINT Website Intelligence Analyzer

onescales/website-intelligence-analyzer-osint

All-in-one website analysis tool. Run 30 OSINT checks on any URL โ€” DNS, SSL, WHOIS, tech stack, security headers, email security, open ports, and more. Get a complete site profile in seconds.

94

5.0

(3)