{"id":33916738,"url":"https://github.com/bl4ckstack/hedra","last_synced_at":"2026-04-04T12:59:07.669Z","repository":{"id":323906248,"uuid":"1095157037","full_name":"bl4ckstack/hedra","owner":"bl4ckstack","description":"Hedra — Command-line tool to analyze HTTP security headers and detect missing protections like CSP, HSTS, and X-Frame-Options.","archived":false,"fork":false,"pushed_at":"2025-12-04T17:14:01.000Z","size":602,"stargazers_count":8,"open_issues_count":0,"forks_count":2,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-02-19T02:05:58.387Z","etag":null,"topics":["cli","cybersecurity","hedra","http-headers","information-security","pentesting","ruby","rubygems","security","vulnerability-assessment","web-security"],"latest_commit_sha":null,"homepage":"","language":"Ruby","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/bl4ckstack.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-12T17:04:31.000Z","updated_at":"2025-12-04T18:14:26.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/bl4ckstack/hedra","commit_stats":null,"previous_names":["bl4ckstack/hedra"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/bl4ckstack/hedra","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bl4ckstack%2Fhedra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bl4ckstack%2Fhedra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bl4ckstack%2Fhedra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bl4ckstack%2Fhedra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/bl4ckstack","download_url":"https://codeload.github.com/bl4ckstack/hedra/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/bl4ckstack%2Fhedra/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31400460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-04T10:20:44.708Z","status":"ssl_error","status_checked_at":"2026-04-04T10:20:06.846Z","response_time":60,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cli","cybersecurity","hedra","http-headers","information-security","pentesting","ruby","rubygems","security","vulnerability-assessment","web-security"],"created_at":"2025-12-12T07:29:46.157Z","updated_at":"2026-04-04T12:59:07.663Z","avatar_url":"https://github.com/bl4ckstack.png","language":"Ruby","readme":"# Hedra\n\n[![Ruby](https://img.shields.io/badge/Ruby-3.0%2B-CC342D?style=flat\u0026logo=ruby)](https://www.ruby-lang.org/)\n[![Gem Version](https://img.shields.io/gem/v/hedra?style=flat\u0026logo=rubygems\u0026color=E9573F)](https://rubygems.org/gems/hedra)\n[![License](https://img.shields.io/badge/License-MIT-00A98F?style=flat)](LICENSE)\n[![Downloads](https://img.shields.io/gem/dt/hedra?style=flat\u0026color=blue)](https://rubygems.org/gems/hedra)\n\n\u003e Security header analyzer with SSL/TLS validation, baseline tracking, and CI/CD integration.\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"logo.png\" width=\"380\" alt=\"Hedra Logo\"/\u003e\n\u003c/p\u003e\n\n## Installation\n```bash\ngem install hedra\n```\n\n## Quick Start\n```bash\nhedra scan https://github.com\nhedra audit https://stripe.com --json\nhedra scan -f urls.txt --format html --output report.html\n```\n\n## Commands\n\n### scan\n\nScan URLs for security headers with flexible output options.\n```bash\nhedra scan https://github.com\nhedra scan -f urls.txt --concurrency 20\nhedra scan https://stripe.com --cache --rate 10/s\n```\n\n**Key Options:**\n- `-f, --file FILE` • Read URLs from file\n- `-c, --concurrency N` • Concurrent requests (default: 10)\n- `-t, --timeout N` • Request timeout in seconds (default: 10)\n- `--rate RATE` • Rate limit: 10/s, 100/m, 1000/h\n- `--cache` • Enable response caching\n- `--cache-ttl N` • Cache TTL in seconds (default: 3600)\n- `-o, --output FILE` • Output file\n- `--format FORMAT` • table, json, csv, html (default: table)\n- `--proxy URL` • HTTP/SOCKS proxy\n- `--user-agent STRING` • Custom User-Agent\n- `--save-baseline NAME` • Save results as baseline\n- `--[no-]progress` • Show/hide progress bar\n- `--[no-]check-certificates` • SSL checks (default: enabled)\n- `--[no-]check-security-txt` • RFC 9116 checks\n\n### audit\n\nDeep security audit with detailed recommendations.\n```bash\nhedra audit https://github.com\nhedra audit https://api.stripe.com --json --output report.json\n```\n\n**Options:**\n- `--json` • JSON output format\n- `-o, --output FILE` • Output file\n- `--proxy URL` • HTTP/SOCKS proxy\n- `--user-agent STRING` • Custom User-Agent\n- `-t, --timeout N` • Request timeout\n- `--[no-]check-certificates` • SSL/TLS validation\n- `--[no-]check-security-txt` • security.txt checks\n\n### watch\n\nMonitor security headers periodically.\n```bash\nhedra watch https://myapp.com --interval 3600\n```\n\n**Options:**\n- `--interval N` • Check interval in seconds (default: 3600)\n\n### compare\n\nCompare security headers between environments.\n```bash\nhedra compare https://staging.myapp.com https://myapp.com\n```\n\n### ci_check\n\nCI/CD-friendly check with exit codes and thresholds.\n```bash\nhedra ci_check https://myapp.com --threshold 85\nhedra ci_check -f urls.txt --fail-on-critical\n```\n\n**Options:**\n- `-f, --file FILE` • Read URLs from file\n- `--threshold N` • Minimum score threshold (default: 80)\n- `--fail-on-critical` • Fail on critical issues (default: true)\n\n**Exit Codes:**\n- `0` • All checks passed\n- `1` • Score below threshold or critical issues found\n\n### baseline\n\nTrack security posture changes over time.\n```bash\nhedra baseline list\nhedra baseline compare production-v1 -f urls.txt\nhedra baseline delete production-v1\n```\n\n### cache\n\nManage response cache for faster repeated scans.\n```bash\nhedra cache clear\nhedra cache clear-expired\n```\n\n### plugin\n\nExtend functionality with custom security checks.\n```bash\nhedra plugin list\nhedra plugin install path/to/plugin.rb\nhedra plugin remove plugin_name\n```\n\n## Security Checks\n\n### HTTP Headers Analyzed\n\n| Header | Weight | Purpose |\n|--------|--------|---------|\n| Content-Security-Policy | 25 pts | Prevent XSS and injection attacks |\n| Strict-Transport-Security | 25 pts | Enforce HTTPS connections |\n| X-Frame-Options | 15 pts | Prevent clickjacking |\n| X-Content-Type-Options | 10 pts | Stop MIME-type sniffing |\n| Referrer-Policy | 10 pts | Control referrer information |\n| Permissions-Policy | 5 pts | Manage browser features |\n| Cross-Origin-Opener-Policy | 5 pts | Isolate browsing context |\n| Cross-Origin-Embedder-Policy | 3 pts | Enable cross-origin isolation |\n| Cross-Origin-Resource-Policy | 2 pts | Control resource loading |\n\n### Additional Validations\n\n**SSL/TLS Checks:**\n- Certificate expiry dates\n- Signature algorithm strength\n- Key size validation\n- Chain verification\n- TLS version detection (TLS 1.2/1.3)\n- Certificate Transparency log verification\n\n**Protocol Security:**\n- HTTP/2 and HTTP/3 detection\n- TLS version enforcement\n- Insecure protocol warnings\n\n**CORS Security:**\n- Access-Control-Allow-Origin validation\n- Wildcard and null origin detection\n- Credentials with wildcard prevention\n- Dangerous HTTP methods detection\n- Sensitive header exposure checks\n\n**Subresource Integrity (SRI):**\n- External script/stylesheet SRI validation\n- Crossorigin attribute verification\n- Same-origin resource detection\n\n**DNS Security:**\n- DNSSEC validation\n- CAA (Certificate Authority Authorization) records\n- DNS-based security policy enforcement\n\n**RFC 9116:**\n- security.txt file presence and format\n\n### Scoring System\n\n**Base:** 100 points from header weights\n\n**Penalties:**\n- Critical issue: -20 points\n- Warning: -10 points\n- Info: -5 points\n\n## Configuration\n\nCreate `~/.hedra/config.yml`:\n```yaml\n# HTTP settings\ntimeout: 10\nconcurrency: 10\nuser_agent: \"Hedra/2.0.0\"\nfollow_redirects: true\nmax_retries: 3\n\n# Performance\ncache_enabled: false\ncache_ttl: 3600\nrate_limit: \"10/s\"\n\n# Security checks\ncheck_certificates: true\ncheck_security_txt: false\n\n# Output\noutput_format: \"table\"\nprogress_bar: true\n\n# Circuit breaker\ncircuit_breaker_threshold: 5\ncircuit_breaker_timeout: 60\n```\n\n## Custom Rules\n\nDefine organization-specific policies in `~/.hedra/rules.yml`:\n```yaml\nrules:\n  - header: \"X-Custom-Security\"\n    type: missing\n    severity: warning\n    message: \"Custom security header is missing\"\n    fix: \"Add X-Custom-Security: enabled\"\n    \n  - header: \"Server\"\n    type: pattern\n    pattern: \"^(Apache|nginx)\"\n    severity: info\n    message: \"Server header exposes software version\"\n    fix: \"Remove or obfuscate Server header\"\n```\n\n**Rule Types:**\n- `missing` • Header should be present\n- `pattern` • Header value must match regex\n\n**Severity Levels:**\n- `critical` • -20 points, immediate action required\n- `warning` • -10 points, should be addressed\n- `info` • -5 points, best practice\n\n## Plugin System\n\nCreate custom checks in `~/.hedra/plugins/`:\n```ruby\n# ~/.hedra/plugins/corporate_policy.rb\nmodule Hedra\n  class CorporatePolicyPlugin \u003c Plugin\n    def self.check(headers)\n      findings = []\n      \n      # Enforce corporate header\n      unless headers.key?('x-corp-security')\n        findings \u003c\u003c {\n          header: 'x-corp-security',\n          issue: 'Corporate security header missing',\n          severity: :critical,\n          recommended_fix: 'Add X-Corp-Security: v2'\n        }\n      end\n      \n      # Check version disclosure\n      if headers['server']\u0026.match?(/\\d+\\.\\d+/)\n        findings \u003c\u003c {\n          header: 'server',\n          issue: 'Server version exposed',\n          severity: :warning,\n          recommended_fix: 'Remove version from Server header'\n        }\n      end\n      \n      findings\n    end\n  end\nend\n```\n\n**Management:**\n```bash\nhedra plugin install ~/.hedra/plugins/corporate_policy.rb\nhedra plugin list\nhedra plugin remove corporate_policy\n```\n\n## CI/CD Integration\n\n### GitHub Actions\n```yaml\nname: Security Headers Check\n\non: [push, pull_request]\n\njobs:\n  security-scan:\n    runs-on: ubuntu-latest\n    steps:\n      - uses: actions/checkout@v3\n      \n      - name: Setup Ruby\n        uses: ruby/setup-ruby@v1\n        with:\n          ruby-version: '3.2'\n      \n      - name: Install Hedra\n        run: gem install hedra\n      \n      - name: Run Security Check\n        run: hedra ci_check ${{ secrets.APP_URL }} --threshold 85\n      \n      - name: Generate HTML Report\n        if: always()\n        run: hedra scan ${{ secrets.APP_URL }} --output report.html --format html\n      \n      - name: Upload Report\n        if: always()\n        uses: actions/upload-artifact@v3\n        with:\n          name: security-report\n          path: report.html\n```\n\n### GitLab CI\n```yaml\nsecurity_headers:\n  image: ruby:3.2\n  script:\n    - gem install hedra\n    - hedra ci_check $APP_URL --threshold 85\n    - hedra scan $APP_URL --output report.json --format json\n  artifacts:\n    reports:\n      junit: report.json\n    paths:\n      - report.json\n  only:\n    - merge_requests\n    - main\n```\n\n### Jenkins Pipeline\n```groovy\npipeline {\n    agent any\n    \n    stages {\n        stage('Security Headers') {\n            steps {\n                sh 'gem install hedra'\n                sh 'hedra ci_check ${APP_URL} --threshold 85'\n            }\n        }\n    }\n    \n    post {\n        always {\n            sh 'hedra scan ${APP_URL} --output report.html --format html'\n            publishHTML([\n                reportDir: '.',\n                reportFiles: 'report.html',\n                reportName: 'Security Report'\n            ])\n        }\n    }\n}\n```\n\n## Export Formats\n\n### Table (Default)\n```bash\nhedra scan https://github.com\n```\n\nClean, colored terminal output with scores and recommendations.\n\n### JSON\n```bash\nhedra scan https://stripe.com --output report.json --format json\n```\n\nStructured data for automation and parsing.\n\n### CSV\n```bash\nhedra scan -f urls.txt --output report.csv --format csv\n```\n\nImport into spreadsheets for analysis and tracking.\n\n### HTML\n```bash\nhedra scan -f urls.txt --output report.html --format html\n```\n\nInteractive report with sorting, filtering, and charts.\n\n## Advanced Security Checks\n\n### Subresource Integrity (SRI)\nValidates that external scripts and stylesheets use SRI attributes to prevent tampering:\n```bash\nhedra scan https://myapp.com --check-sri\n```\n\n**Checks:**\n- External resources without integrity attributes\n- Missing crossorigin attributes\n- Same-origin vs cross-origin detection\n\n### CORS Policy Analysis\nValidates Cross-Origin Resource Sharing configuration for security issues:\n```bash\nhedra scan https://api.myapp.com --check-cors\n```\n\n**Detects:**\n- Wildcard origins with credentials (critical vulnerability)\n- Null origin allowance\n- Insecure HTTP origins\n- Dangerous HTTP methods (TRACE, TRACK)\n- Overly permissive configurations\n- Sensitive header exposure\n\n### Protocol Version Detection\nChecks HTTP and TLS protocol versions:\n```bash\nhedra scan https://myapp.com --check-protocol\n```\n\n**Validates:**\n- HTTP/1.1 vs HTTP/2 vs HTTP/3\n- TLS 1.2/1.3 enforcement\n- Deprecated protocol detection (SSLv3, TLS 1.0/1.1)\n- Protocol upgrade recommendations\n\n### Certificate Transparency\nVerifies certificates are logged in CT logs:\n```bash\nhedra audit https://myapp.com --check-ct\n```\n\n**Checks:**\n- SCT (Signed Certificate Timestamp) presence\n- Multiple independent CT logs\n- SCT delivery methods (extension, OCSP, TLS)\n\n### DNS Security\nValidates DNS-level security features:\n```bash\nhedra audit https://myapp.com --check-dns\n```\n\n**Validates:**\n- DNSSEC enablement\n- CAA records for certificate issuance control\n- CAA tags (issue, issuewild, iodef)\n- DNS-based security policies\n\n### Combined Advanced Scan\nRun all advanced checks together:\n```bash\nhedra audit https://myapp.com \\\n  --check-sri \\\n  --check-cors \\\n  --check-protocol \\\n  --check-ct \\\n  --check-dns \\\n  --output comprehensive-report.json\n```\n\n## Real-World Examples\n\n### Basic Security Audit\n```bash\nhedra scan https://myapp.com\n```\n\n### Comprehensive Security Audit with All Checks\n```bash\nhedra audit https://myapp.com \\\n  --check-sri \\\n  --check-ct \\\n  --check-dns \\\n  --json \\\n  --output full-audit.json\n```\n\n### Quick CORS and Protocol Check\n```bash\nhedra scan https://api.myapp.com \\\n  --check-cors \\\n  --check-protocol\n```\n\n### Production Deployment Check\n```bash\n# Save baseline after deployment\nhedra scan -f production-urls.txt --save-baseline prod-v2.1.0\n\n# Compare before next deployment\nhedra baseline compare prod-v2.1.0 -f production-urls.txt\n```\n\n### High-Volume Scanning\n```bash\n# Scan 1000 URLs with rate limiting and caching\nhedra scan -f large-list.txt \\\n  --concurrency 50 \\\n  --rate 20/s \\\n  --cache \\\n  --output results.json \\\n  --format json\n```\n\n### Continuous Monitoring\n```bash\n# Check every hour\nhedra watch https://api.myapp.com --interval 3600\n```\n\n### Environment Comparison\n```bash\nhedra compare https://staging.myapp.com https://myapp.com\n```\n\n### Proxy-Based Testing\n```bash\n# Route through Burp Suite\nhedra scan https://target.com --proxy http://127.0.0.1:8080\n```\n\n### Custom User-Agent\n```bash\nhedra scan https://myapp.com --user-agent \"Mozilla/5.0 (iPhone; CPU iPhone OS 14_0)\"\n```\n\n## Performance Tuning\n\n### Caching Strategy\n```bash\n# Enable caching for repeated scans\nhedra scan -f urls.txt --cache --cache-ttl 7200\n\n# Clear cache when needed\nhedra cache clear\n```\n\n### Rate Limiting\n```bash\n# Conservative approach\nhedra scan -f urls.txt --rate 10/s --concurrency 5\n\n# Aggressive scanning\nhedra scan -f urls.txt --rate 100/s --concurrency 50\n```\n\n### Timeout Configuration\n```bash\n# Fast scan for responsive servers\nhedra scan -f urls.txt --timeout 5\n\n# Patient scan for slow servers\nhedra scan -f urls.txt --timeout 30\n```\n\n## Development\n```bash\n# Clone and setup\ngit clone https://github.com/blackstack/hedra.git\ncd hedra\nbundle install\n\n# Run tests\nbundle exec rspec\n\n# Check code style\nbundle exec rubocop\n\n# Build gem\nrake build\ngem install pkg/hedra-*.gem\n```\n\n## Troubleshooting\n\n### SSL Certificate Errors\n```bash\n# Skip certificate validation\nhedra scan https://self-signed.badssl.com --no-check-certificates\n```\n\n### Rate Limiting Issues\n```bash\n# Reduce load on target server\nhedra scan -f urls.txt --concurrency 1 --rate 1/s\n```\n\n### Timeout Problems\n```bash\n# Increase timeout for slow servers\nhedra scan https://slow-server.com --timeout 60\n```\n\n## Resources\n\n**GitHub:** https://github.com/bl4ckstack/hedra  \n**RubyGems:** https://rubygems.org/gems/hedra  \n**Issues:** https://github.com/bl4ckstack/hedra/issues  \n**OWASP Headers:** https://owasp.org/www-project-secure-headers/\n\n## License\n\nMIT License - see [LICENSE](LICENSE) for details.\n\n---\n","funding_links":[],"categories":["Ruby"],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbl4ckstack%2Fhedra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fbl4ckstack%2Fhedra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fbl4ckstack%2Fhedra/lists"}