# Bulk HTTP Security Headers Analyzer — CSP, HSTS & Score (`logiover/bulk-http-security-headers`) Actor Analyze HTTP security headers for thousands of URLs. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and more. Returns pass/fail per header plus a numeric security score. No API key, export to CSV/JSON. Ideal for security audits and compliance scanning. - **URL**: https://apify.com/logiover/bulk-http-security-headers.md - **Developed by:** [Logiover](https://apify.com/logiover) (community) - **Categories:** Developer tools, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, 0 bookmarks - **User rating**: No ratings yet ## Pricing from $3.50 / 1,000 results This Actor is paid per event. You are not charged for the Apify platform usage, but only a fixed price for specific events. Since this Actor supports Apify Store discounts, the price gets lower the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-event ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Bulk HTTP Security Headers Analyzer 🛡️ — CSP, HSTS & Score **Audit HTTP security headers for thousands of URLs in one run.** This **bulk security header scanner** checks every URL for **Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy** and more. Each check is scored, totaled into a **0–100 security score**, and graded from **A+ to F**. Paste a list of URLs and the actor fetches their headers in parallel via HTTP HEAD — fast, lightweight, no page content downloaded. Every URL gets one row with pass/fail for each header, a list of missing headers, and an overall grade. > Looking for a **security header checker**, a **CSP auditor**, an **HSTS scanner**, a **bulk HTTP security audit tool**, or a **free HTTP security analyzer API**? This actor does all the checks at scale. --- ### ✨ Key features - 🛡️ **11 security header checks** — CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, CORP, COEP, Server header leak, X-Powered-By leak. - 🎯 **Numeric score (0–100)** — each check is weighted by security importance; get a total score and a letter grade (A+ to F). - 📋 **Pass / fail per header** — every header gets its own boolean pass/fail column plus the raw header value. - 🧩 **HSTS deep parse** — max-age, includeSubdomains and preload flags extracted separately. - 🚨 **Missing headers list** — comma-separated list of which recommended security headers are absent. - 🔍 **Information leak checks** — flags when `Server` and `X-Powered-By` headers expose stack details. - ⚡ **HEAD-only, no body** — HTTP HEAD is fast; security headers are all in the response headers. - 🔑 **No API key** — works out of the box with standard HTTP requests. ### 💡 Use cases - **Security posture audits** — scan your entire web portfolio and get a numeric score per URL; track improvement over time. - **Compliance scanning** — check for missing HSTS, CSP and other headers required by SOC 2, ISO 27001, PCI DSS. - **Vendor risk assessment** — score third-party SaaS tools and partners on their HTTP security hygiene. - **Bug bounty recon** — identify sites with weak or missing security headers that broaden attack surface. - **DevSecOps CI/CD** — run as a gate check after deployments to catch regressions in security header configuration. - **Competitor benchmarking** — compare your security header posture against competitors. ### 📦 What you get Each row in the dataset is **one URL's full security header report**: | Field | Description | |-------|-------------| | `url` | The analyzed URL | | `finalUrl` | Final URL after any redirects | | `statusCode` | HTTP status code | | `securityScore` | Overall score from 0 (no headers) to 100 (all recommended headers well-configured) | | `grade` | Letter grade: A+, A, B, C, D, F | | `cspHeader` | Content-Security-Policy value or `not set` | | `cspPass` | `true` if CSP is present and well-formed | | `cspReportOnly` | CSP-Report-Only value if present | | `hstsHeader` | Strict-Transport-Security value or `not set` | | `hstsPass` | `true` if HSTS is present with max-age ≥ 1 year | | `hstsMaxAge` | HSTS max-age value in seconds | | `hstsIncludeSubdomains` | `true`/`false` — whether includeSubDomains is present | | `hstsPreload` | `true`/`false` — whether the preload directive is present | | `xFrameOptions` | X-Frame-Options value or `not set` | | `xFrameOptionsPass` | `true` if set to DENY or SAMEORIGIN | | `xContentTypeOptions` | X-Content-Type-Options value or `not set` | | `xContentTypeOptionsPass` | `true` if set to nosniff | | `referrerPolicy` | Referrer-Policy value or `not set` | | `referrerPolicyPass` | `true` if a privacy-preserving policy is set | | `permissionsPolicy` | Permissions-Policy value or `not set` | | `permissionsPolicyPass` | `true` if Permissions-Policy is present | | `crossOriginOpenerPolicy` | COOP value or `not set` | | `crossOriginOpenerPolicyPass` | `true` if set to same-origin | | `crossOriginResourcePolicy` | CORP value or `not set` | | `crossOriginEmbedderPolicy` | COEP value or `not set` | | `server` | Server header value — flagged if present (information leak) | | `xPoweredBy` | X-Powered-By header value — flagged if present (information leak) | | `cacheControl` | Cache-Control value | | `missingHeaders` | Comma-separated recommended headers that are absent | | `passCount` | Number of checks passed | | `totalChecks` | Total number of checks performed (11) | | `latencyMs` | Time taken for the HTTP request in milliseconds | | `checkedAt` | ISO 8601 timestamp | #### Example output ```json [ { "url": "https://github.com", "finalUrl": "https://github.com/", "statusCode": "200", "securityScore": "78", "grade": "B", "cspHeader": "default-src 'none'; ...", "cspPass": "true", "hstsHeader": "max-age=31536000; includeSubdomains; preload", "hstsPass": "true", "hstsMaxAge": "31536000", "hstsIncludeSubdomains": "true", "hstsPreload": "true", "xFrameOptions": "deny", "xFrameOptionsPass": "true", "xContentTypeOptions": "nosniff", "xContentTypeOptionsPass": "true", "referrerPolicy": "origin-when-cross-origin, strict-origin-when-cross-origin", "referrerPolicyPass": "true", "permissionsPolicy": "not set", "permissionsPolicyPass": "false", "crossOriginOpenerPolicy": "not set", "crossOriginOpenerPolicyPass": "false", "missingHeaders": "Permissions-Policy, Cross-Origin-Opener-Policy", "passCount": "8", "totalChecks": "11", "checkedAt": "2026-06-24T12:00:00.000Z" } ] ```` ### 🚀 How to use it 1. Click **Try for free / Start**. 2. Paste your list of URLs into **URLs to Analyze** — one per line. 3. (Optional) Adjust **Max Concurrency** for large lists and keep **Proxy** enabled. 4. Click **Save & Start**, then export the dataset as **JSON, CSV, Excel or via API**. ### ⚙️ Input | Field | Type | Description | Default | |-------|------|-------------|---------| | `urls` | array (required) | URLs to scan for security headers. `https://` added automatically if missing. | – | | `maxConcurrency` | integer | Parallel requests. Higher is faster. | `20` (max `100`) | | `proxyConfiguration` | object | Proxy used for the HTTP requests. | Apify Proxy (datacenter) | #### Example input ```json { "urls": ["https://github.com", "https://stackoverflow.com", "https://example.com"], "maxConcurrency": 20, "proxyConfiguration": { "useApifyProxy": true } } ``` ### 🔍 How it works For each URL, the actor sends an **HTTP HEAD request** (with automatic redirect following) and extracts every security-relevant header from the response. Each header is checked against a best-practice definition: - **CSP** — must be present and well-formed (length > 10 chars). Weight: 20. - **HSTS** — must have `max-age` ≥ 31,536,000 (1 year). Weight: 15. - **X-Frame-Options** — must be `DENY` or `SAMEORIGIN`. Weight: 12. - **X-Content-Type-Options** — must equal `nosniff`. Weight: 10. - **Referrer-Policy** — must restrict referrer data. Weight: 10. - **Permissions-Policy** — must be present. Weight: 8. - **COOP / CORP / COEP** — cross-origin isolation headers. Weight: 5 each. - **Server / X-Powered-By** — information leak: points if NOT present. Weight: 5 each. Scores are weighted and normalized to 0–100, then mapped to a letter grade. The `missingHeaders` field lists every recommended header that's absent so you know exactly what to fix. ### 🧰 Tips & best practices - HTTPS-only URLs produce more meaningful results — plain HTTP sites won't return HSTS. - Filter by `grade: "F"` to prioritize the worst offenders first; filter by `securityScore` descending for a leaderboard. - Schedule recurring weekly runs and diff datasets to track security header improvements over time. - Parse the `missingHeaders` field to generate prioritized remediation tickets per URL. - Use `maxConcurrency: 20` for large lists and keep Apify Proxy enabled. ### ❓ FAQ #### How do I check security headers for many URLs? Paste your full URL list into the **URLs to Analyze** field and run the actor once. It fetches headers from every URL in parallel and returns one row per URL with pass/fail for each of 11 checks. #### Which security headers are checked? CSP, HSTS (with max-age ≥1yr), X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy, Cross-Origin-Resource-Policy, Cross-Origin-Embedder-Policy, plus Server and X-Powered-By information leak checks. #### How is the security score calculated? Each header check carries a weight based on its security impact (CSP=20, HSTS=15, etc.). The score is the weighted percentage of checks that pass, normalized to 0–100. Grade: A+ ≥90, A ≥80, B ≥70, C ≥50, D ≥30, F <30. #### Can I export security header audits to CSV? Yes — every URL is one row with dedicated columns for each header and its pass/fail status, so the dataset drops straight into a spreadsheet for reporting. #### Does it follow redirects? Yes — the actor follows up to 5 redirects automatically and reports the final URL in the `finalUrl` field, so `http://example.com` → `https://example.com` redirects are handled transparently. ### 🔗 Related actors by the same author - **[Bulk SSL Certificate Checker](https://apify.com/logiover/bulk-ssl-certificate-checker)** — SSL/TLS certificate inspection (expiry, issuer, SANs, TLS versions, chain validation). - **[Bulk DNS Records Lookup](https://apify.com/logiover/bulk-dns-records-lookup)** — A, AAAA, MX, TXT, NS, CNAME, SOA, CAA for thousands of domains. - **[Bulk URL Status Checker](https://apify.com/logiover/bulk-url-status-checker)** — HTTP status codes, broken links and redirects for large URL lists. - **[Website SEO Audit Crawler](https://apify.com/logiover/website-seo-audit-crawler)** — on-page SEO analysis for websites. ### 📝 Changelog #### 2026-06-24 - Initial release — 11 security header checks with weighted scoring, A+ to F grading, no API key, CSV/JSON export. # Actor input Schema ## `urls` (type: `array`): List of URLs to scan for security headers. Paste one per line — HTTPS and HTTP both supported. Schemes are added automatically if missing. ## `maxConcurrency` (type: `integer`): How many URLs to scan in parallel. Higher is faster. ## `proxyConfiguration` (type: `object`): Proxy used for the HTTP requests. Recommended to avoid rate limiting. ## Actor input object example ```json { "urls": [ "https://github.com", "https://example.com", "https://httpbin.org" ], "maxConcurrency": 20, "proxyConfiguration": { "useApifyProxy": true } } ``` # Actor output Schema ## `results` (type: `string`): The dataset containing one row per URL with pass/fail for 11 security headers, a numeric score and letter grade. # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "urls": [ "https://github.com", "https://example.com", "https://httpbin.org" ] }; // Run the Actor and wait for it to finish const run = await client.actor("logiover/bulk-http-security-headers").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "urls": [ "https://github.com", "https://example.com", "https://httpbin.org", ] } # Run the Actor and wait for it to finish run = client.actor("logiover/bulk-http-security-headers").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "urls": [ "https://github.com", "https://example.com", "https://httpbin.org" ] }' | apify call logiover/bulk-http-security-headers --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=logiover/bulk-http-security-headers", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "Bulk HTTP Security Headers Analyzer — CSP, HSTS & Score", "description": "Analyze HTTP security headers for thousands of URLs. Checks CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and more. Returns pass/fail per header plus a numeric security score. No API key, export to CSV/JSON. Ideal for security audits and compliance scanning.", "version": "1.0", "x-build-id": "0IVZhckPZpAa1H2Ad" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/logiover~bulk-http-security-headers/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-logiover-bulk-http-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/logiover~bulk-http-security-headers/runs": { "post": { "operationId": "runs-sync-logiover-bulk-http-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/logiover~bulk-http-security-headers/run-sync": { "post": { "operationId": "run-sync-logiover-bulk-http-security-headers", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "required": [ "urls" ], "properties": { "urls": { "title": "URLs to Analyze", "type": "array", "description": "List of URLs to scan for security headers. Paste one per line — HTTPS and HTTP both supported. Schemes are added automatically if missing.", "items": { "type": "string" } }, "maxConcurrency": { "title": "Max Concurrency", "minimum": 1, "maximum": 100, "type": "integer", "description": "How many URLs to scan in parallel. Higher is faster.", "default": 20 }, "proxyConfiguration": { "title": "Proxy Configuration", "type": "object", "description": "Proxy used for the HTTP requests. Recommended to avoid rate limiting.", "default": { "useApifyProxy": true } } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```