humble
HTTP Headers Analyzer
"A journey of a thousand miles begins with a single step. - Lao Tzu"
"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"
Table of contents
Features
Screenshots
Installation & Update
Usage
Missing Headers Check
Fingerprint Headers Check
Deprecated Headers and Insecure Values Checks
Empty Values Check
Guidelines included
To-Do
Further Reading
Contribute
License
Features
Screenshots
.: Brief report (Windows)
.: Brief report and retrieved headers (Linux)
.: Full report (Linux)
.: Analysis exported to PDF. Example.
.: Analysis exported to HTML. Example.
Installation & Update
NOTE: Python 3.6 or higher is required.
# install python3 and python3-pip if not exist
(Windows) https://www.python.org/downloads/windows/
(Linux) if not installed by default, install them via, e.g. Synaptic, apt, dnf, yum ...
# install git
(Windows) https://git-scm.com/download/win
(Linux) https://git-scm.com/download/linux
# clone the repository
$ git clone https://github.com/rfc-st/humble.git
# change the working directory to humble
$ cd humble
# install the requirements
$ pip3 install -r requirements.txt
# update humble (every couple of weeks, inside humble's working directory)
$ git pull
# or download the latest release
https://github.com/rfc-st/humble/releases
Usage
(Windows) $ py humble.py
(Linux) $ python3 humble.py
usage: humble.py [-h] [-d DOMAIN] [-b] [-o {html,pdf,txt} [-r] [-g] [-v]
humble (HTTP Headers Analyzer) - https://github.com/rfc-st/humble
optional arguments:
-h, --help show this help message and exit
-d DOMAIN domain to analyze, including schema. E.g., https://google.com
-r show HTTP response headers and full analysis (with references and details)
-b show brief analysis (without references or details)
-o {html,pdf,txt} save analysis to file (domain_yyyymmdd.ext)
-g show guidelines on securing most used web servers/services
Missing headers check
Show / Hide
Cache-Control |
Clear-Site-Data |
Content-Type |
Content-Security-Policy |
Cross-Origin-Embedder-Policy |
Cross-Origin-Opener-Policy |
Cross-Origin-Resource-Policy |
Expect-CT |
NEL |
Permissions-Policy |
Pragma |
Referrer-Policy |
Strict-Transport-Security |
X-Content-Type-Options |
X-Frame-Options |
Fingerprint headers check
Check this file.
Deprecated headers/protocols and insecure values checks
Check this file.
Empty values check
Any HTTP response header.
Guidelines included to enable security HTTP headers
- Amazon AWS
- Apache HTTP Server
- Cloudflare
- MaxCDN
- Microsoft Internet Information Services
- Nginx
To-do
- Add more header/value checks (only security-oriented)
- Add analysis rating
- Show the application related to each fingerprint header
- Improve PDF output through fpdf2 library
Further reading
https://caniuse.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://github.com/search?q=http+headers+analyze
https://github.com/search?q=http+headers+secure
https://github.com/search?q=http+headers+security
https://owasp.org/www-project-secure-headers/
https://securityheaders.com/
https://scotthelme.co.uk/
https://webtechsurvey.com/common-response-headers
https://www.w3.org
Contribute
- Report a Bug.
- Create a Feature request.
- Report a Security Vulnerability.
- Drop me an email ([email protected]).
Thanks for your time!! :).
License
MIT © 2020-2022 Rafa 'Bluesman' Faura ([email protected])
Original Creator - Rafa 'Bluesman' Faura ([email protected])