An application to catch, search and analyze HTTP secure headers.
OWASP SecureHeaders Project
SecureHeaders project consist in two main modules:
HTTP secure headers are resources known to some and despised by others. However it's a fact that the versatility and security provided by feature can help make web applications more secure.
Edit .env
file or set environment variable:
# general settings
## scanner
THREAD_NUMBER=1000
TOPSITES_FILENAME=conf/topsites_global.csv
SENTRY_ENABLED=False
SENTRY_DSN=''
# http settings
ORIGIN=http://a.com
TIMEOUT=3
# mysql settings
MYSQL_USERNAME=root
MYSQL_PASSWORD=password
MYSQL_HOST=localhost
MYSQL_DATABASE=headers
# redis settings
REDIS_HOST=localhost
REDIS_PORT=6379
REDIS_DB=0
REDIS_TTL=60
# http header filters
HEADERS=strict-transport-security,public-key-pins,x-xss-protection,x-frame-options,x-content-type-options,content-security-policy,x-permitted-cross-domain-policies,referrer-policy
# plugins settings
MIME_TYPES=text/html,text/html; charset=utf-8,text/css,text/xml,application/json,image/png,application/javascript,image/jpeg
# python cli.py --help
#
Usage: cli.py [OPTIONS] COMMAND [ARGS]...
Options:
--help Show this message and exit.
Commands:
scanner Owasp SecureHeader scanner.
web Owasp SecureHeader web dashboard
# python cli.py scanner --help
#
Usage: cli.py scanner [OPTIONS]
Owasp SecureHeader scanner.
Options:
--version Show the version and exit.
-f, --file PATH topsites file path. [default:
conf/topsites_global.csv]
-t, --threads INTEGER number of threads. [default: 1000]
--help Show this message and exit.
# python cli.py web --help
#
Usage: cli.py web [OPTIONS] COMMAND
Owasp SecureHeader web dashboard
Options:
--help Show this message and exit.
valid command to start is:
./cli.py web start
docker-compose -f docker-compose.scanner.yml up -d
The scanner module it's responsible to catch all secure headers data from a csv file.
# install virtualevn
#
pip install virtualenv
# create virtualenv locally
#
virtualenv venv
# active virtualenv
#
source venv/bin/activate
# install application dependencies
#
pip install -r requirements.txt
# start application (web interface)
#
python cli.py scanner -f conf/develop.csv
Thread pool 1 (0 - 1000)
[*] connection error for <pclady.com.cn>
[!] site <pclady.com.cn> will be excluded from the analysis
Connections summary
https: 3
http: 2
error: 2
Cleaning database
Tables: [header, site, header_value, header_name]
Populating database...
Table: site
Table: header_value
Table: header_name
Table: header
The SecureHeaers webui provide an easyly way to see and search all data gathering with scanner module. For now it's possible to see a dashboard with main HTTP secure headers documented OWASP web page and also provide a way to search secure headers set in each page analyzed as your adoption by other users.
docker-compose -f docker-compose.dashboard.yml up -d
# install virtualevn
#
pip install virtualenv
# create virtualenv locally
#
virtualenv venv
# active virtualenv
#
source venv/bin/activate
# install application dependencies
#
pip install -r requirements.txt
# start application (web interface)
#
python cli.py web start
starting web dashboard...
[*] application started on: http://localhost:5000/
[*] press any key to stop...
See the wiki page to see more about how to use, contribute and much more.