HTTP Headers Analyzer
"A journey of a thousand miles begins with a single step. - Lao Tzu"
"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"
Features
Screenshots
Installation & Update
Usage
Advanced Usage
Checks: Missing Headers
Checks: Fingerprint Headers
Checks: Deprecated Headers and Insecure Values
Checks: Empty Values
Guidelines included
To-Do
Further Reading
Contribute
Acknowledgements
License
✔️ 14 checks of missing HTTP response headers.
✔️ 1044 checks of fingerprinting through HTTP response headers.
✔️ 92 checks of deprecated HTTP response headers/protocols or with insecure/wrong values.
✔️ SSL/TLS checks: requires https://testssl.sh/ and Unix machine.
✔️ Browser support references for enabled HTTP security headers.
✔️ Two types of analysis: brief and detailed, along with HTTP response headers.
✔️ Can export each analysis to CSV, HTML5, JSON, PDF 1.4 and TXT (and in the PATH of your choice).
✔️ Each detailed analysis may include up to dozens of official links, references and technical articles.
✔️ i10n: can display each analysis, the messages and almost all errors in English or Spanish.
✔️ Saves each analysis, showing at the end the improvements or deficiencies in relation to the last one.
✔️ Can display analysis statistics: either against a specific URL or all of them.
✔️ Can display fingerprint statistics: either against a specific term or the Top 20.
✔️ Code reviewed via Bandit, Flake8, SonarLint, Sourcery and vermin.
✔️ Tested, one by one, on thousands of URLs.
✔️ Fully tested and working on (at least) Windows 10 20H2 - 19042.985 and Kali Linux 2021.1.
✔️ Almost all the code under one of the most permissive licenses: MIT.
✔️ Regularly updated.
✔️ Official tool in OWASP Secure Headers Project and Kali Linux (this should be the latest Release).
✔️ Developed entirely in my spare time, no strings attached: feel free to try it out and integrate it into your projects!.
✔️ And with the approval of an AI :)!.
.: (Windows) - Brief analysis.
.: (Linux) - Brief analysis and retrieved HTTP headers.
.: (Linux) - Detailed analysis in Spanish.
.: (Linux) - TLS/SSL checks (requires https://testssl.sh/ and Unix machine, for now!).
Options used: -f -g -p -U -s --hints
.: (Linux) - List of HTTP fingerprint headers based on a specific term.
.: (Linux) - Brief analysis saved as CSV. Example.
.: (Windows) - Detailed analysis saved as PDF. Example.
.: (Linux) - Detailed analysis saved as HTML. Example.
.: (Linux) - Brief analysis saved as JSON. Example.
.: (Linux) - Analysis history file: Date, URL, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals).
.: (Linux) - Statistics of the analysis performed against a specific URL.
.: (Linux) - Statistics of the analysis performed against all URLs.
NOTE: Python 3.9 or higher is required.
# install python3 and python3-pip if not exist
(Windows) https://www.python.org/downloads/windows/
(Linux) if not installed by default, install them via, e.g. Synaptic, apt, dnf, yum ...
# install git
(Windows) https://git-scm.com/download/win
(Linux) https://git-scm.com/download/linux
# clone the repository
$ git clone https://github.com/rfc-st/humble.git
# change the working directory to humble
$ cd humble
# install the requirements
$ pip3 install -r requirements.txt
# update humble (every week, inside humble's working directory)
$ git pull
# or download the latest release (every four to five weeks)
https://github.com/rfc-st/humble/releases
(Windows) $ py humble.py
(Linux) $ python3 humble.py
usage: humble.py [-h] [-a] [-b] [-df] [-e [PATH]] [-f [TERM]] [-g] [-l {es}] [-o {csv,html,json,pdf,txt}] [-op OUTPUT_PATH] [-r] [-u URL] [-v]
humble (HTTP Headers Analyzer) - https://github.com/rfc-st/humble
options:
-h, --help show this help message and exit
-a show statistics of the performed analysis (will be global if '-u' is omitted)
-b show a brief analysis (if omitted, a detailed one will be shown)
-df do not follow redirects (if omitted, the last redirection will be the one analyzed)
-e [PATH] show TLS/SSL checks (requires the PATH of https://testssl.sh/ and Unix machine)
-f [TERM] show fingerprint statistics (will be the Top 20 if "TERM", e.g. "Google", is omitted)
-g show guidelines for securing popular web servers/services
-l {es} the language for displaying analyses, errors and messages (if omitted it will be in English)
-o {csv,html,json,pdf,txt} save analysis to 'scheme_host_port_yyyymmdd.ext' file (csv/json files will contain a brief analysis)
-op OUTPUT_PATH save analysis to OUTPUT_PATH (if omitted, the PATH of 'humble.py' will be used)
-r show HTTP response headers and a detailed analysis ('-b' parameter will take priority)
-u URL scheme, host and port to analyze. E.g. https://google.com
-v, --version show the version of this tool and check for updates
.: (Linux) - Show only the analysis summary.
$ python3 humble.py -u https://www.spacex.com | grep -A 8 "\!." | sed $'1i \n'
.: (Windows, in Spanish) - show only the analysis summary (PowerShell >= 7 required).
$ py humble.py -u https://www.spacex.com -l es | Select-String -Pattern '!.' -Context 1,8 -NoEmphasis
.: (Linux) - Show only the URL, date and analysis summary.
$ python3 humble.py -u https://www.spacex.com | grep -A7 -E "0. Info|\!." | grep -v "^\[1\." | sed 's/[--]//g' | sed -e '/./b' -e :n -e 'N;s/\n$//;tn' | sed $'1i \n'
.: (Linux) - Show only the deprecated headers/protocols and insecure values.
$ python3 humble.py -u https://www.spacex.com | sed '/3. /,/4. /!d' | sed '$d' | sed $'1i \n'
.: (Linux) - Check for HTTP client errors (4XX).
$ python3 humble.py -u https://block.fiverr.com | grep -A1 -B5 'Note : \|Nota : ' --color=never
.: (Linux) - Analyze multiple URLs and save the results as PDFs.
$ datasets=('https://facebook.com' 'https://www.microsoft.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done
Show / Hide
Cache-Control |
Clear-Site-Data |
Content-Type |
Content-Security-Policy |
Cross-Origin-Embedder-Policy |
Cross-Origin-Opener-Policy |
Cross-Origin-Resource-Policy |
NEL |
Permissions-Policy |
Referrer-Policy |
Strict-Transport-Security |
X-Content-Type-Options |
X-Frame-Options |
X-Permitted-Cross-Domain-Policies |
|
Check this file.
Check this file.
Any HTTP response header.
- Amazon AWS
- Apache HTTP Server
- Cloudflare
- LiteSpeed Web Server
- Microsoft Internet Information Services
- Nginx
- Node.js
- Add more Header/Value checks (only security-oriented)
- Check rfc-st#16 to fix rfc-st#7
- Analyze detailed CSP Directives/Values
- Google Style Python Docstrings and documentation via Sphinx
https://caniuse.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://github.com/search?q=http+headers+analyze
https://github.com/search?q=http+headers+secure
https://github.com/search?q=http+headers+security
https://owasp.org/www-project-secure-headers/
https://securityheaders.com/
https://scotthelme.co.uk/
https://webtechsurvey.com/common-response-headers
https://www.w3.org
- Report a Bug.
- Create a Feature request.
- Report a Security Vulnerability.
- Send me an email with your suggestions!: [email protected]
Thanks for your time! :).
- Azathothas for reporting this bug.
- bulaktm for this suggestion.
- David, for believing in the usefulness of this tool.
- Eduardo, for making possible the first Demo and for the example "(Linux) - Analyze multiple URLs and save the results as PDFs".
- gl4nce for this suggestion.
- İDRİS BUDAK for reporting the need to this check.
- manuel-sommer for this, this and this!.
- stanley101music for this, this and this!.
MIT © 2020-2023 Rafa 'Bluesman' Faura ([email protected])
Original Creator - Rafa 'Bluesman' Faura ([email protected])