Pricing

from $3.50 / 1,000 results

Bulk HTTP Security Headers Analyzer — CSP, HSTS & Score

Analyze HTTP security headers for thousands of URLs. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and more. Returns pass/fail per header plus a numeric security score. No API key, export to CSV/JSON. Ideal for security audits and compliance scanning.

Pricing

from $3.50 / 1,000 results

Rating

0.0

(0)

Developer

Logiover

Actor stats

Bookmarked

Total users

Monthly active users

2 days ago

Last modified

Bulk HTTP Security Headers Analyzer 🛡️ — CSP, HSTS & Score

Audit HTTP security headers for thousands of URLs in one run. This bulk security header scanner checks every URL for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy and more. Each check is scored, totaled into a 0–100 security score, and graded from A+ to F.

Paste a list of URLs and the actor fetches their headers in parallel via HTTP HEAD — fast, lightweight, no page content downloaded. Every URL gets one row with pass/fail for each header, a list of missing headers, and an overall grade.

Looking for a security header checker, a CSP auditor, an HSTS scanner, a bulk HTTP security audit tool, or a free HTTP security analyzer API? This actor does all the checks at scale.

✨ Key features

🛡️ 11 security header checks — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, Server header leak, X-Powered-By leak.
🎯 Numeric score (0–100) — each check is weighted by security importance; get a total score and a letter grade (A+ to F).
📋 Pass / fail per header — every header gets its own boolean pass/fail column plus the raw header value.
🧩 HSTS deep parse — max-age, includeSubdomains and preload flags extracted separately.
🚨 Missing headers list — comma-separated list of which recommended security headers are absent.
🔍 Information leak checks — flags when Server and X-Powered-By headers expose stack details.
⚡ HEAD-only, no body — HTTP HEAD is fast; security headers are all in the response headers.
🔑 No API key — works out of the box with standard HTTP requests.

💡 Use cases

Security posture audits — scan your entire web portfolio and get a numeric score per URL; track improvement over time.
Compliance scanning — check for missing HSTS, CSP and other headers required by SOC 2, ISO 27001, PCI DSS.
Vendor risk assessment — score third-party SaaS tools and partners on their HTTP security hygiene.
Bug bounty recon — identify sites with weak or missing security headers that broaden attack surface.
DevSecOps CI/CD — run as a gate check after deployments to catch regressions in security header configuration.
Competitor benchmarking — compare your security header posture against competitors.

📦 What you get

Each row in the dataset is one URL's full security header report:

Field	Description
`url`	The analyzed URL
`finalUrl`	Final URL after any redirects
`statusCode`	HTTP status code
`securityScore`	Overall score from 0 (no headers) to 100 (all recommended headers well-configured)
`grade`	Letter grade: A+, A, B, C, D, F
`cspHeader`	Content-Security-Policy value or `not set`
`cspPass`	`true` if CSP is present and well-formed
`cspReportOnly`	CSP-Report-Only value if present
`hstsHeader`	Strict-Transport-Security value or `not set`
`hstsPass`	`true` if HSTS is present with max-age ≥ 1 year
`hstsMaxAge`	HSTS max-age value in seconds
`hstsIncludeSubdomains`	`true`/`false` — whether includeSubDomains is present
`hstsPreload`	`true`/`false` — whether the preload directive is present
`xFrameOptions`	X-Frame-Options value or `not set`
`xFrameOptionsPass`	`true` if set to DENY or SAMEORIGIN
`xContentTypeOptions`	X-Content-Type-Options value or `not set`
`xContentTypeOptionsPass`	`true` if set to nosniff
`referrerPolicy`	Referrer-Policy value or `not set`
`referrerPolicyPass`	`true` if a privacy-preserving policy is set
`permissionsPolicy`	Permissions-Policy value or `not set`
`permissionsPolicyPass`	`true` if Permissions-Policy is present
`crossOriginOpenerPolicy`	COOP value or `not set`
`crossOriginOpenerPolicyPass`	`true` if set to same-origin
`crossOriginResourcePolicy`	CORP value or `not set`
`crossOriginEmbedderPolicy`	COEP value or `not set`
`server`	Server header value — flagged if present (information leak)
`xPoweredBy`	X-Powered-By header value — flagged if present (information leak)
`cacheControl`	Cache-Control value
`missingHeaders`	Comma-separated recommended headers that are absent
`passCount`	Number of checks passed
`totalChecks`	Total number of checks performed (11)
`latencyMs`	Time taken for the HTTP request in milliseconds
`checkedAt`	ISO 8601 timestamp

Example output

[
  {
    "url": "https://github.com",
    "finalUrl": "https://github.com/",
    "statusCode": "200",
    "securityScore": "78",
    "grade": "B",
    "cspHeader": "default-src 'none'; ...",
    "cspPass": "true",
    "hstsHeader": "max-age=31536000; includeSubdomains; preload",
    "hstsPass": "true",
    "hstsMaxAge": "31536000",
    "hstsIncludeSubdomains": "true",
    "hstsPreload": "true",
    "xFrameOptions": "deny",
    "xFrameOptionsPass": "true",
    "xContentTypeOptions": "nosniff",
    "xContentTypeOptionsPass": "true",
    "referrerPolicy": "origin-when-cross-origin, strict-origin-when-cross-origin",
    "referrerPolicyPass": "true",
    "permissionsPolicy": "not set",
    "permissionsPolicyPass": "false",
    "crossOriginOpenerPolicy": "not set",
    "crossOriginOpenerPolicyPass": "false",
    "missingHeaders": "Permissions-Policy, Cross-Origin-Opener-Policy",
    "passCount": "8",
    "totalChecks": "11",
    "checkedAt": "2026-06-24T12:00:00.000Z"
  }
]

🚀 How to use it

Click Try for free / Start.
Paste your list of URLs into URLs to Analyze — one per line.
(Optional) Adjust Max Concurrency for large lists and keep Proxy enabled.
Click Save & Start, then export the dataset as JSON, CSV, Excel or via API.

⚙️ Input

Field	Type	Description	Default
`urls`	array (required)	URLs to scan for security headers. `https://` added automatically if missing.	–
`maxConcurrency`	integer	Parallel requests. Higher is faster.	`20` (max `100`)
`proxyConfiguration`	object	Proxy used for the HTTP requests.	Apify Proxy (datacenter)

Example input

{
  "urls": ["https://github.com", "https://stackoverflow.com", "https://example.com"],
  "maxConcurrency": 20,
  "proxyConfiguration": { "useApifyProxy": true }
}

🔍 How it works

For each URL, the actor sends an HTTP HEAD request (with automatic redirect following) and extracts every security-relevant header from the response. Each header is checked against a best-practice definition:

CSP — must be present and well-formed (length > 10 chars). Weight: 20.
HSTS — must have max-age ≥ 31,536,000 (1 year). Weight: 15.
X-Frame-Options — must be DENY or SAMEORIGIN. Weight: 12.
X-Content-Type-Options — must equal nosniff. Weight: 10.
Referrer-Policy — must restrict referrer data. Weight: 10.
Permissions-Policy — must be present. Weight: 8.
COOP / CORP / COEP — cross-origin isolation headers. Weight: 5 each.
Server / X-Powered-By — information leak: points if NOT present. Weight: 5 each.

Scores are weighted and normalized to 0–100, then mapped to a letter grade. The missingHeaders field lists every recommended header that's absent so you know exactly what to fix.

🧰 Tips & best practices

HTTPS-only URLs produce more meaningful results — plain HTTP sites won't return HSTS.
Filter by grade: "F" to prioritize the worst offenders first; filter by securityScore descending for a leaderboard.
Schedule recurring weekly runs and diff datasets to track security header improvements over time.
Parse the missingHeaders field to generate prioritized remediation tickets per URL.
Use maxConcurrency: 20 for large lists and keep Apify Proxy enabled.

❓ FAQ

How do I check security headers for many URLs?

Paste your full URL list into the URLs to Analyze field and run the actor once. It fetches headers from every URL in parallel and returns one row per URL with pass/fail for each of 11 checks.

Which security headers are checked?

CSP, HSTS (with max-age ≥1yr), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, plus Server and X-Powered-By information leak checks.

How is the security score calculated?

Each header check carries a weight based on its security impact (CSP=20, HSTS=15, etc.). The score is the weighted percentage of checks that pass, normalized to 0–100. Grade: A+ ≥90, A ≥80, B ≥70, C ≥50, D ≥30, F <30.

Can I export security header audits to CSV?

Yes — every URL is one row with dedicated columns for each header and its pass/fail status, so the dataset drops straight into a spreadsheet for reporting.

Does it follow redirects?

Yes — the actor follows up to 5 redirects automatically and reports the final URL in the finalUrl field, so http://example.com → https://example.com redirects are handled transparently.

Bulk SSL Certificate Checker — SSL/TLS certificate inspection (expiry, issuer, SANs, TLS versions, chain validation).
Bulk DNS Records Lookup — A, AAAA, MX, TXT, NS, CNAME, SOA, CAA for thousands of domains.
Bulk URL Status Checker — HTTP status codes, broken links and redirects for large URL lists.
Website SEO Audit Crawler — on-page SEO analysis for websites.

📝 Changelog

2026-06-24

Initial release — 11 security header checks with weighted scoring, A+ to F grading, no API key, CSV/JSON export.

HTTP Security Headers Analyzer — CSP, HSTS Grader

technicaldost/http-security-headers

Technical Dost Solutions

HTTP Security Headers Analyzer

andok/security-headers-analyzer

Audit HTTP response headers (CSP, HSTS, X-Frame-Options) to verify web application security and compliance standards.

Andok

OSINT Website Intelligence Analyzer

onescales/website-intelligence-analyzer-osint

All-in-one website analysis tool. Run 30 OSINT checks on any URL — DNS, SSL, WHOIS, tech stack, security headers, email security, open ports, and more. Get a complete site profile in seconds.

One Scales

5.0

(3)

DMARC & Email Security Checker

taroyamada/dns-dmarc-security-checker

Validate domain infrastructure in bulk to boost email deliverability. Extract DMARC policies, SPF records, and MX configurations to keep outreach out of spam.

naoki anzai

Website Performance Analyzer — Speed Test & Core Web Vitals

scrapeworks/website-performance-analyzer

Test website speed for any list of URLs: TTFB, load time, page weight, compression, redirects, caching and security headers — with a transparent 0-100 score and findings. Optionally adds the Google Lighthouse score and Core Web Vitals (FCP, LCP, CLS, TBT) via PageSpeed Insights.

Nicolas van Arkens

Website & Domain Health Audit — SSL, DNS, Email, Security Score

inexhaustible_glass/domain-health-audit

Complete website & domain audit in one run: SSL/TLS, DNS, SPF/DKIM/DMARC email security, security headers, tech stack, WHOIS, blacklist & uptime — with a health score and fix list. No API key.

Hitman studio

Tech Stack Detector API - BuiltWith & Wappalyzer Alternative

tugelbay/website-tech-stack-detector

Tech stack detector and website technology checker API. BuiltWith/Wappalyzer alternative for bulk URL enrichment: detect 100+ CMS, ecommerce. Guide: https://konabayev.com/tools/website-tech-stack-detector/?utm_source=apify_info&utm_medium=referral&utm_campaign=website-tech-stack-detector

Tugelbay Konabayev

Company Deep Research — SEC, GitHub, DNS & Social

ryanclinton/company-deep-research

Generate comprehensive company research reports from 7+ sources: SEC filings, stock data, Wikipedia, GitHub, Trustpilot reviews, DNS records, and social media verification. One domain in, full intelligence report out.

Ryan Clinton

Bulk URL Unshortener — Redirect Chain Resolver

logiover/bulk-url-unshortener

Resolve thousands of shortened URLs at once — bit.ly, t.co, ow.ly, TinyURL and every shortener. Traces the full redirect chain (every hop, status code, redirect type) and returns the final URL, latency and intermediate destinations. No API key, export to CSV or JSON.