{"id":13405596,"url":"https://github.com/gildasio/h2t","last_synced_at":"2025-03-14T10:31:06.332Z","repository":{"id":49371459,"uuid":"174434588","full_name":"gildasio/h2t","owner":"gildasio","description":"h2t (HTTP Hardening Tool) scans a website and suggests security headers to apply","archived":false,"fork":false,"pushed_at":"2022-12-08T01:40:59.000Z","size":767,"stargazers_count":387,"open_issues_count":3,"forks_count":36,"subscribers_count":10,"default_branch":"master","last_synced_at":"2024-07-31T19:46:39.507Z","etag":null,"topics":["defense","hardening","headers","http","security","web-application-security"],"latest_commit_sha":null,"homepage":"https://certbahia.pop-ba.rnp.br/projects/h2t/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/gildasio.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2019-03-07T23:10:46.000Z","updated_at":"2024-07-28T18:43:15.000Z","dependencies_parsed_at":"2023-01-24T21:00:56.285Z","dependency_job_id":null,"html_url":"https://github.com/gildasio/h2t","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gildasio%2Fh2t","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gildasio%2Fh2t/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gildasio%2Fh2t/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/gildasio%2Fh2t/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/gildasio","download_url":"https://codeload.github.com/gildasio/h2t/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":221458093,"owners_count":16825271,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["defense","hardening","headers","http","security","web-application-security"],"created_at":"2024-07-30T19:02:06.222Z","updated_at":"2025-03-14T10:31:06.326Z","avatar_url":"https://github.com/gildasio.png","language":"Python","readme":"# h2t - HTTP Hardening Tool\n\n## Description\n\n**h2t** is a simple tool to help sysadmins to hardening their websites.\n\nUntil now **h2t** checks the website headers and recommends how to make it better.\n\n## Dependences\n\n* [Python 3](https://www.python.org/download/releases/3.0/)\n* [colorama](https://github.com/tartley/colorama)\n* [requests](http://docs.python-requests.org/en/master/)\n\n## Install\n\n~~~\n$ git clone https://github.com/gildasio/h2t\n$ cd h2t\n$ pip install -r requirements.txt\n$ ./h2t.py -h\n~~~\n\n... or the Docker way:\n~~~\n$ git clone https://github.com/gildasio/h2t\n$ cd h2t\n$ docker build -t h2t .\n$ docker run --rm h2t -h\n~~~\n\nYou also can put `alias h2t='docker run --rm h2t'` on a file (such as `~/.bash_aliases`) and run as follows:\n\n~~~\n$ h2t -h\n~~~\n\n## Usage\n\n**h2t** has subcommands: *list* and *scan*.\n\n~~~\n$ ./h2t.py -h\nusage: h2t.py [-h] {list,l,scan,s} ...\n\nh2t - HTTP Hardening Tool\n\npositional arguments:\n  {list,l,scan,s}  sub-command help\n    list (l)       show a list of available headers in h2t catalog (that can\n                   be used in scan subcommand -H option)\n    scan (s)       scan url to hardening headers\n\noptional arguments:\n  -h, --help       show this help message and exit\n~~~\n\n### List Subcommand\n\nThe **list** subcommand lists all headers cataloged in **h2t** and can show informations about it as a description, links for more information and for how to's.\n\n~~~\n$ ./h2t.py list -h\nusage: h2t.py list [-h] [-p PRINT [PRINT ...]] [-B]\n                   [-a | -H HEADERS [HEADERS ...]]\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -p PRINT [PRINT ...], --print PRINT [PRINT ...]\n                        a list of additional information about the headers to\n                        print. For now there are two options: description and\n                        refs (you can use either or both)\n  -B, --no-banner       don't print the h2t banner\n  -a, --all             list all available headers [default]\n  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]\n                        a list of headers to look for in the h2t catalog\n~~~\n\n### Scan Subcommand\n\nThe **scan** subcommand perform a scan in a website looking for their headers.\n\n~~~\n$ ./h2t.py scan -h\nusage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]]\n                   [-p PRINT [PRINT ...]]\n                   [-i IGNORE_HEADERS [IGNORE_HEADERS ...]] [-B] [-E] [-n]\n                   [-u USER_AGENT] [-r | -s]\n                   url\n\npositional arguments:\n  url                   url to look for\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -v, --verbose         increase output verbosity: -v print response headers,\n                        -vv print response and request headers\n  -a, --all             scan all cataloged headers [default]\n  -g, --good            scan good headers only\n  -b, --bad             scan bad headers only\n  -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...]\n                        scan only these headers (see available in list sub-\n                        command)\n  -p PRINT [PRINT ...], --print PRINT [PRINT ...]\n                        a list of additional information about the headers to\n                        print. For now there are two options: description and\n                        refs (you can use either or both)\n  -i IGNORE_HEADERS [IGNORE_HEADERS ...], --ignore-headers IGNORE_HEADERS [IGNORE_HEADERS ...]\n                        a list of headers to ignore in the results\n  -B, --no-banner       don't print the h2t banner\n  -E, --no-explanation  don't print the h2t output explanation\n  -o {normal,csv,json}, --output {normal,csv,json}\n                        choose which output format to use (available: normal,\n                        csv, json)\n  -n, --no-redirect     don't follow http redirects\n  -u USER_AGENT, --user-agent USER_AGENT\n                        set user agent to scan request\n  -k, --insecure        don't verify SSL certificate as valid\n  -r, --recommendation  output only recommendations [default]\n  -s, --status          output actual status (eg: existent headers only)\n~~~\n\n### Output\n\nFor now the output is only in normal mode. Understant it as follows:\n\n* \u003cspan style=\"color: red;\"\u003e[+]\u003c/span\u003e Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.\n* \u003cspan style=\"color: yellow;\"\u003e[+]\u003c/span\u003e Yellow Headers are good headers that is not applied on your website. We recommend apply them.\n* \u003cspan style=\"color: green\"\u003e[-]\u003c/span\u003e Green Headers are good headers that is already used in your website. It's shown when use `-s` flag.\n\nExample:\n\n![h2t agains hack.me](docs/hackme.png)\n\n* Cookie HTTP Only would be good to be applied\n* Cookie over SSL/TLS would be good to be applied\n* Server header would be good to be removed\n* Referrer-Policy would be good to be applied\n* X-Frame-Options is already in use, nothing to do here\n* X-XSS-Protection is already in use, nothing to do here\n\n### Screenshots\n\n#### List h2t catalog\n\n![h2t catalog](docs/list.png)\n\n#### Scan from file\n\n![h2t against my website](docs/gildasio.png)\n\n#### Scan url\n\n![h2t against hackme](docs/hackme.png)\n\n#### Scan verbose\n\n![h2t against my website in verbose mode](docs/gildasio_verbose.png)\n\n#### Headers information\n\n![h2t against my website and print headers information](docs/gildasio_header_info.png)\n\n## Contribute\n\nFor contribute guidelines look at [CONTRIBUTING](CONTRIBUTING.md)\n","funding_links":[],"categories":["Python","\u003ca name=\"security\"\u003e\u003c/a\u003esecurity","Python (1887)","\u003ca id=\"8f92ead9997a4b68d06a9acf9b01ef63\"\u003e\u003c/a\u003e扫描器\u0026\u0026安全扫描\u0026\u0026App扫描\u0026\u0026漏洞扫描","\u003ca id=\"132036452bfacf61471e3ea0b7bf7a55\"\u003e\u003c/a\u003e工具","security","🔒 Security","Web"],"sub_categories":["\u003ca id=\"de63a029bda6a7e429af272f291bb769\"\u003e\u003c/a\u003e未分类-Scanner","☸️ Kubernetes","Web Exploitation"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgildasio%2Fh2t","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fgildasio%2Fh2t","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fgildasio%2Fh2t/lists"}