Coder Social home page Coder Social logo

chrismckee / drheader Goto Github PK

View Code? Open in Web Editor NEW

This project forked from santandersecurityresearch/drheader

0.0 1.0 0.0 2.05 MB

drHEADer helps with the audit of security headers received in response to a single request or a list of requests.

License: MIT License

Python 97.99% Makefile 1.93% Dockerfile 0.08%

drheader's Introduction

GitHub release Github all releases HitCount Total alerts Language grade: Python MIT license

drHEADer

Welcome to drHEADer

There are a number of HTTP headers which enhance the security of a website when used. Often ignored, or unknown, these HTTP security headers help prevent common web application vulnerabilities when used.

DrHEADer helps with the audit of security headers received in response to a single request or a list of requests.

When combined with the OWASP Application Security Verification Standard (ASVS) 4.0, it is a useful tool to include as part of an automated CI/CD pipeline which checks for missing HTTP headers.

How Do I Install It?

This project was developed with Python 3.7.4. Whilst it works with Python 2.x, End of Life (EOL) is coming so if possible, use 3.x. The easiest way to install drHEADer is to clone this repository and via a terminal window, run the following command:

$ python3 setup.py install --user

This will install all the pre-requisites and you'll end up with a drheader executable.

How Do I Use It?

There are two ways you could use drHEADer, depending on what you want to achieve. The easiest way is using the CLI.

CLI

drHEADer can perform a single scan against a target and report back which headers are present, like so:

$ drheader scan single https://santander.co.uk

singlescan

If you wish to scan multiple sites, you'll need the targets in a JSON format, or a txt file, like so:

  [
    {
      "url": "https://example.com",
      "params": {
          "example_parameter_key": "example_parameter_value"
      }
    },
    ...
  ]

For txt files, use the following command:

$ drheader scan bulk -ff targets.txt

There are a number of parameters you can specify during bulk scans, these are:

Option Description
--json Output report as json
--debug Show error messages
--rules FILENAME Use custom rule set
--rules-uri URL Use custom rule set, to download from a remote server
--merge Merge custom rule set on top of default set
--help Show this message and exit
--junit Creates a junit report in ./reports/junit.xml folder

To save scan results, you can use the --json parameter and pipe it to jq, which is a lightweight and flexible command-line JSON processor,like so:

$ drheader scan single https://santander.co.uk --json | jq '.'

singlescan

In a Project

It is also possible to call drHEADer from within an existing project, and this is achieved like so:

from drheader import Drheader

# create drheader instance
drheader_instance = Drheader(headers={'X-XSS-Protection': '1; mode=block'})

report = drheader_instance.analyze()
print(report)

Customize HTTP method and headers

By default, the tool uses GET method when making a request, but you can change that by supplying the method argument like this:

# create drheader instance
drheader_instance = Drheader(url="http://test.com", method="POST")

Remember you can use any method supported by requests such as POST, PUT, GET and DELETE. This feature is not currently available in the CLI. It will be added in an upcoming release

At the same time, you can customize the headers sent by the request. For that, you just have to use the request_headers argument:

# create drheader instance
custom_headers = {"token": "1234aerhga"}
drheader_instance = Drheader(url="http://test.com", request_headers=custom_headers)

As we continue development on drHEADer, we will further enhance this functionality.

Other requests arguments

The verify argument supported by requests can be included. The default value is set to True.

# create drheader instance
drheader_instance = Drheader(url="http://test.com", verify=False)

Other arguments may be included in the future such as timeout, allow_redirects or proxies.

Cross-Origin Isolation

The default rules in drHEADer support cross-origin isolation via the Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy headers. Due to the potential for this to break websites that have not yet properly configured their sub-resources for cross-origin isolation, these validations are opt-in at analysis time. If you want to enforce these cross-origin isolation validations, you must pass the cross-origin-isolated flag.

Using the CLI:

$ drheader scan single https://example.com --cross-origin-isolated

In a project:

import drheader

drheader_instance = drheader.Drheader(url='https://example.com')
drheader_instance.analyze(cross_origin_isolated=True)

How Do I Customise drHEADer Rules?

DrHEADer relies on a yaml file that defines the policy it will use when auditing security headers. The file is located at ./drheader/rules.yml, and you can customise it to fit your particular needs. Please follow this link if you want to know more.

Notes

  • On ubuntu systems you may need to install libyaml-dev to avoid errors related to a missing yaml.h.

Roadmap

We have a lot of ideas for drHEADer, and will push often as a result. Some of the things you'll see shortly are:

  • Building on the Python library to make it easier to embed in your own projects.
  • Releasing the API, which is separate from the core library - the API allows you to hit URLs or endpoints at scale
  • Better integration into MiTM proxies.

Who Is Behind It?

DrHEADer was developed by the Santander UK Security Engineering team, who are:

drheader's People

Contributors

amias-channer avatar pealtrufo avatar javixeneize avatar emilejq avatar dependabot[bot] avatar javier-hb avatar danielcuthbert avatar javi-dr avatar actions-user avatar martibarri avatar fernandocabrerizo avatar bodneyc avatar actuallyjamez avatar mrjonstrong avatar dpauk avatar estemendoza avatar juan-medina avatar tonnyhideyori avatar jhbarrantes avatar

Watchers

avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.