OrbTop

HTTP Probe -- TLS, Security Headers, Redirects

DEVELOPER TOOLSAUTOMATION
Try on Apify

SSL & Security Headers Checker (HTTP Probe)

Bulk site-health probe in a single record per URL: TLS certificate, security-header grade (A+ through F), redirect chain, TTFB, HTTP/2 and HTTP/3 negotiation, and IPv6 reachability. Pure Node, no browser, no proxies.

SSL & Security Headers Features

  • TLS certificate capture: issuer, subject, validity window, daysToExpiry, signature algorithm, SAN list, serial number, OCSP stapling.
  • Security-header grading modeled after securityheaders.com — A+ / A / B / C / D / F across the standard nine (CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP, COEP, CORP).
  • Lists every missing header so you can hand the row to a developer and say "this".
  • Full redirect-chain capture (up to 10 hops) with status codes and from/to.
  • HTTP/2 detection via ALPN, HTTP/3 detection via the Alt-Svc header.
  • Optional IPv6 reachability probe — resolves AAAA, opens a family:6 TLS connection, records the boolean.
  • Bare hosts auto-prefix to https://. Duplicates are removed before probing.

Who Uses Site Health Probe Data?

  • DevOps and SRE — track SSL expiry windows across portfolios so a forgotten cert never takes a service down.
  • Security teams — audit CSP, HSTS, and frame-ancestors posture across thousands of subdomains in one run.
  • CI pipelines — fail a build when a deployment regresses on security headers or HTTPS posture.
  • Penetration testers — bulk-fingerprint TLS, HTTP/2, HTTP/3, and IPv6 surface area before a deeper engagement.
  • Compliance auditors — produce evidence of TLS hygiene across a portfolio without writing a custom probe each quarter.

How HTTP Probe Works

  1. Pass in a list of URLs (or bare hosts; they auto-prefix to https://). Duplicates are dropped.
  2. For each URL the actor runs a TLS handshake (with ALPN h2 negotiation), then issues an HTTP request — preferring HTTP/2 when negotiated, falling back to HTTP/1.1.
  3. If followRedirects is on, every hop is captured and walked up to 10 levels with cycle detection.
  4. The header grader checks the configured set, computes the A+ through F grade, and the row also records HTTP/3 (Alt-Svc) and optional IPv6 reachability.

Input

{
  "urls": ["https://example.com/", "https://github.com/", "https://cloudflare.com/"],
  "maxItems": 5,
  "followRedirects": true,
  "checkHeaders": [
    "content-security-policy",
    "strict-transport-security",
    "x-frame-options",
    "x-content-type-options",
    "referrer-policy",
    "permissions-policy",
    "cross-origin-opener-policy",
    "cross-origin-embedder-policy",
    "cross-origin-resource-policy"
  ],
  "runIPv6": false,
  "timeoutSec": 15,
  "concurrency": 25
}
Field Type Default Description
urls array required URLs (https://example.com/) or bare hosts (example.com). Bare hosts auto-prefix to https://.
maxItems integer 5 Cap on URLs probed after dedup. Range 1-10000.
followRedirects boolean true Follow up to 10 redirects and log each hop.
checkHeaders array the standard nine Security headers to grade.
runIPv6 boolean false Probe IPv6 (AAAA + family:6 TLS connect). Records ipv6Reachable.
timeoutSec integer 15 Per-URL HTTP timeout in seconds. Range 3-60.
concurrency integer 25 Parallel probes. Hard cap at 50 to avoid socket exhaustion.

SSL & Security Headers Output Fields

{
  "url": "https://cloudflare.com/",
  "finalUrl": "https://www.cloudflare.com/",
  "status": 200,
  "redirectChain": ["301 https://cloudflare.com/ -> https://www.cloudflare.com/"],
  "ttfbMs": 142,
  "totalMs": 487,
  "ssl": {
    "subject": "Cloudflare, Inc. / cloudflare.com",
    "issuer": "Google Trust Services / WE1",
    "validFrom": "2026-03-12T20:59:51.000Z",
    "validTo": "2026-06-10T21:59:46.000Z",
    "daysToExpiry": 41,
    "sigAlg": "prime256v1",
    "sans": ["cloudflare.com", "*.cloudflare.com"],
    "serialNumber": "AABBCC",
    "ocspStapling": true
  },
  "headers": {
    "raw": {
      "strict-transport-security": "max-age=63072000; includeSubDomains; preload",
      "content-security-policy": "default-src 'self'"
    },
    "missingSecurity": ["cross-origin-embedder-policy"],
    "gradeApprox": "B"
  },
  "http2": true,
  "http3": true,
  "ipv6Reachable": false,
  "probedAt": "2026-04-30T12:00:00.000Z",
  "error": ""
}
Field Type Description
url string Probed URL (input).
finalUrl string URL after redirects (same as url when none followed).
status number HTTP status code of the final response.
redirectChain array Ordered list of hops as 'STATUS from -> to' strings.
ttfbMs number Time to first byte in ms.
totalMs number Total elapsed time in ms (TLS + request + body).
ssl object issuer, subject, validFrom, validTo, daysToExpiry, sigAlg, sans, serialNumber, ocspStapling.
headers object {raw, missingSecurity, gradeApprox}.
http2 boolean True when the server negotiated HTTP/2 via ALPN.
http3 boolean True when the server advertises HTTP/3 via Alt-Svc.
ipv6Reachable boolean True when the IPv6 probe connected (only meaningful when runIPv6=true).
probedAt string ISO timestamp when the probe completed.
error string Error message on failure (empty on success).

Grade rules

  • A+ — every wanted header present, HSTS includes preload, HSTS max-age >= 1 year, CSP defined and free of unsafe-inline / unsafe-eval.
  • A — every wanted header present, no A+ bonus.
  • B — 7-8 of 9 present.
  • C — 5-6 present.
  • D — 3-4 present.
  • F — fewer than 3 present, or no headers received at all.

Pricing

Two events. Basic probes are cheap. Full audits — runIPv6=true AND followRedirects=true AND the full standard nine headers graded — bill at the premium rate because they spend more time on the wire.

Event Price
Actor start $0.10
Basic probe $0.002
Full audit $0.004
Volume Basic Full audit
100 URLs $0.30 $0.50
1,000 URLs $2.10 $4.10
10,000 URLs $20.10 $40.10

Limits

  • maxItems caps at 10,000 per run.
  • The Apify console tester has a 5-minute timeout — keep maxItems low (default 5) for in-browser testing.
  • concurrency caps at 50 to avoid socket exhaustion on the runner.
  • TLS handshake timeout is fixed at 8 seconds. HTTP request timeout defaults to 15 s, max 60 s.
  • Up to 10 redirects per URL; cycles are detected via the visited-set and short-circuited.
  • IPv6 reachability is opt-in. Many runners have IPv6 disabled at the host level — if you need definitive IPv6 results, run on a runner you control.

Related Actors

  • DNS Domain Audit — pair for full DNS + WHOIS + email-auth + TLS posture per domain.
  • Sitemap Walker Pro — discover URLs across a site, then probe each one.
  • Structured Data Validator Pro — combine for SEO + security audits in the same run.

Need More Features?

Useful queued additions: TLS cipher details, certificate-chain depth, HSTS preload-list lookup, CT-log SCT count, MTA-STS / TLS-RPT, BIMI, CAA enforcement check. File an issue to vote one up.

Why Use SSL & Security Headers Checker?

  • One row, full picture — TLS, headers, redirects, HTTP/2/3, IPv6, and timings in a single record. Sortable, filterable, and ready for a dashboard.
  • Cheap at scale — $0.002 per basic probe. 10,000 sites for $20 puts the spreadsheet you've been maintaining out of business.
  • No browser — pure Node sockets. Faster, cheaper, and less brittle than driving a Chromium for what is, fundamentally, a TLS handshake and a HEAD request.

Built by OrbTop.

Try on Apify