GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → oshp → headers

oshp / headers

Licence: GPL-2.0 license
An application to catch, search and analyze HTTP secure headers.

Programming Languages

python
139335 projects - #7 most used programming language
javascript
184084 projects - #8 most used programming language
shell
77523 projects
Dockerfile
14818 projects

Labels

securityowaspdefenseweb-application-security

Projects that are alternatives of or similar to headers

Owtf
Offensive Web Testing Framework (OWTF), is a framework which tries to unite great tools and make pen testing more efficient http://owtf.org https://twitter.com/owtfp
Stars: ✭ 1,516 (+2469.49%)
Mutual labels:  owasp, web-application-security
Insider
Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Stars: ✭ 216 (+266.1%)
Mutual labels:  owasp
Astra
Automated Security Testing For REST API's
Stars: ✭ 1,898 (+3116.95%)
Mutual labels:  owasp
Apicheck
The DevSecOps toolset for REST APIs
Stars: ✭ 184 (+211.86%)
Mutual labels:  owasp
Phpvuln
Audit tool to find common vulnerabilities in PHP source code
Stars: ✭ 146 (+147.46%)
Mutual labels:  owasp
Fdsploit
File Inclusion & Directory Traversal fuzzing, enumeration & exploitation tool.
Stars: ✭ 199 (+237.29%)
Mutual labels:  owasp
Amass
In-depth Attack Surface Mapping and Asset Discovery
Stars: ✭ 1,693 (+2769.49%)
Mutual labels:  owasp
cwe-tool
A command line CWE discovery tool based on OWASP / CAPSEC database of Common Weakness Enumeration.
Stars: ✭ 40 (-32.2%)
Mutual labels:  owasp
Securecodingdojo
The Secure Coding Dojo is a platform for delivering secure coding training.
Stars: ✭ 216 (+266.1%)
Mutual labels:  owasp
Securetea Project
The OWASP SecureTea Project provides a one-stop security solution for various devices (personal computers / servers / IoT devices)
Stars: ✭ 181 (+206.78%)
Mutual labels:  owasp
Csrf Protector Php
CSRF Protector library: standalone library for CSRF mitigation
Stars: ✭ 178 (+201.69%)
Mutual labels:  owasp
Bluemonday
bluemonday: a fast golang HTML sanitizer (inspired by the OWASP Java HTML Sanitizer) to scrub user generated content of XSS
Stars: ✭ 2,135 (+3518.64%)
Mutual labels:  owasp
Zap Hud
The OWASP ZAP Heads Up Display (HUD)
Stars: ✭ 201 (+240.68%)
Mutual labels:  owasp
Owasp Cloud Security
OWASP Cloud Security - Enabling conversations through threat and control stories
Stars: ✭ 148 (+150.85%)
Mutual labels:  owasp
Juice Shop Ctf
Capture-the-Flag (CTF) environment setup tools for OWASP Juice Shop
Stars: ✭ 238 (+303.39%)
Mutual labels:  owasp
Owaspheaders.core
A .NET Core middleware for injecting the Owasp recommended HTTP Headers for increased security
Stars: ✭ 138 (+133.9%)
Mutual labels:  owasp
Zap Cli
A simple tool for interacting with OWASP ZAP from the commandline.
Stars: ✭ 166 (+181.36%)
Mutual labels:  owasp
Sbt Dependency Check
SBT Plugin for OWASP DependencyCheck. Monitor your dependencies and report if there are any publicly known vulnerabilities (e.g. CVEs). 🌈
Stars: ✭ 187 (+216.95%)
Mutual labels:  owasp
EAD Attack
EAD: Elastic-Net Attacks to Deep Neural Networks via Adversarial Examples
Stars: ✭ 34 (-42.37%)
Mutual labels:  defense
alldaydevops-aism
All Day DevOps - Automated Infrastructure Security Monitoring and Defence (ELK + AWS Lambda)
Stars: ✭ 21 (-64.41%)
Mutual labels:  defense
View All Similar Projects ➔

SecureHeaders

Build Status Maintainability Code Health

OWASP SecureHeaders Project

SecureHeaders project consist in two main modules:

  1. an engine to scan a list of sites fastly and with minimal resources;
  2. a web interface with a dashboard to view, search and customize besides provide insight and feedback about the use of HTTP secure headers.

HTTP secure headers are resources known to some and despised by others. However it's a fact that the versatility and security provided by feature can help make web applications more secure.

Architecture

SecureHeaders Architecture

Dependencies

  • MySQL
  • Redis
  • Python 3.6

Configuration (Dashboard | Scanner)

Edit .env file or set environment variable:

# general settings
## scanner
THREAD_NUMBER=1000
TOPSITES_FILENAME=conf/topsites_global.csv
SENTRY_ENABLED=False
SENTRY_DSN=''

# http settings
ORIGIN=http://a.com
TIMEOUT=3

# mysql settings
MYSQL_USERNAME=root
MYSQL_PASSWORD=password
MYSQL_HOST=localhost
MYSQL_DATABASE=headers

# redis settings
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
REDIS_TTL=60

# http header filters
HEADERS=strict-transport-security,public-key-pins,x-xss-protection,x-frame-options,x-content-type-options,content-security-policy,x-permitted-cross-domain-policies,referrer-policy

# plugins settings
MIME_TYPES=text/html,text/html; charset=utf-8,text/css,text/xml,application/json,image/png,application/javascript,image/jpeg

Usage

# python cli.py --help
#
Usage: cli.py [OPTIONS] COMMAND [ARGS]...

Options:
  --help  Show this message and exit.

Commands:
  scanner  Owasp SecureHeader scanner.
  web      Owasp SecureHeader web dashboard

scanner

# python cli.py scanner --help
#
Usage: cli.py scanner [OPTIONS]

  Owasp SecureHeader scanner.

Options:
  --version              Show the version and exit.
  -f, --file PATH        topsites file path.  [default:
                         conf/topsites_global.csv]
  -t, --threads INTEGER  number of threads.  [default: 1000]
  --help                 Show this message and exit.

dashboard

# python cli.py web --help
#
Usage: cli.py web [OPTIONS] COMMAND

  Owasp SecureHeader web dashboard

Options:
  --help  Show this message and exit.

valid command to start is: ./cli.py web start

Scanner Advanced

docker

docker-compose -f docker-compose.scanner.yml up -d

bare metal

mysql setup overview:

asciicast The scanner module it's responsible to catch all secure headers data from a csv file.

setup, install and run scanner:

# install virtualevn
#
pip install virtualenv
# create virtualenv locally
#
virtualenv venv
# active virtualenv
#
source venv/bin/activate
# install application dependencies
#
pip install -r requirements.txt
# start application (web interface)
#
python cli.py scanner -f conf/develop.csv
Thread pool 1 (0 - 1000)
[*] connection error for <pclady.com.cn>
[!] site <pclady.com.cn> will be excluded from the analysis

Connections summary
https: 3
http: 2
error: 2

Cleaning database
Tables: [header, site, header_value, header_name]

Populating database...
Table: site
Table: header_value
Table: header_name
Table: header

Dashboard Advanced

SecureHeaders Main Page The SecureHeaers webui provide an easyly way to see and search all data gathering with scanner module. For now it's possible to see a dashboard with main HTTP secure headers documented OWASP web page and also provide a way to search secure headers set in each page analyzed as your adoption by other users.

Installation

docker

docker-compose -f docker-compose.dashboard.yml up -d

bare metal

# install virtualevn
#
pip install virtualenv
# create virtualenv locally
#
virtualenv venv
# active virtualenv
#
source venv/bin/activate
# install application dependencies
#
pip install -r requirements.txt
# start application (web interface)
#
python cli.py web start
starting web dashboard...
[*] application started on: http://localhost:5000/
[*] press any key to stop...

More

See the wiki page to see more about how to use, contribute and much more.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].