{"id":29258242,"url":"https://github.com/opensecurity/httparmor","last_synced_at":"2025-09-13T07:41:26.294Z","repository":{"id":298996865,"uuid":"1001729424","full_name":"opensecurity/httparmor","owner":"opensecurity","description":"secure HTTP headers generator","archived":false,"fork":false,"pushed_at":"2025-06-14T02:57:45.000Z","size":13,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-06-14T03:37:19.038Z","etag":null,"topics":["apache","content-security-policy","cross-origin","csp","generator","headers","nginx","permissions-policy","security","security-headers","spa","static-site","strict-transport-security"],"latest_commit_sha":null,"homepage":"https://opensecurity.github.io/httparmor/","language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/opensecurity.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-06-13T22:49:02.000Z","updated_at":"2025-06-14T03:08:09.000Z","dependencies_parsed_at":"2025-06-14T03:47:28.943Z","dependency_job_id":null,"html_url":"https://github.com/opensecurity/httparmor","commit_stats":null,"previous_names":["opensecurity/httparmor"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/opensecurity/httparmor","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fhttparmor","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fhttparmor/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fhttparmor/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fhttparmor/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/opensecurity","download_url":"https://codeload.github.com/opensecurity/httparmor/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/opensecurity%2Fhttparmor/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":263457104,"owners_count":23469279,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["apache","content-security-policy","cross-origin","csp","generator","headers","nginx","permissions-policy","security","security-headers","spa","static-site","strict-transport-security"],"created_at":"2025-07-04T06:00:42.876Z","updated_at":"2025-07-04T06:02:16.241Z","avatar_url":"https://github.com/opensecurity.png","language":"HTML","readme":"# HttpArmor\n\nA zero-dependency, client-side application for generating robust and secure HTTP headers based on current web security best practices.\n\n**Live Application: [https://opensecurity.github.io/httparmor/](https://opensecurity.github.io/httparmor/)**\n\n---\n\n## Core Features\n\n-   **Comprehensive Header Generation**: Configure Content-Security-Policy, Permissions-Policy, Strict-Transport-Security, Cross-Origin Policies, and other security-hardening headers.\n-   **Real-Time Validation \u0026 Guidance**: The interface provides immediate feedback on invalid directive values and offers security recommendations to prevent misconfigurations.\n-   **Application Presets**: Start with secure-by-default configurations for common application archetypes like Single Page Applications (SPAs), static websites, or WordPress.\n-   **Purely Client-Side**: No data is sent to any server. All generation and validation happens in the browser, ensuring privacy and instantaneous results.\n-   **Configuration Export**: Copy the complete header set with one click for direct use in your web server configuration.\n\n## Usage\n\n1.  **Navigate** to the [HttpArmor application](https://opensecurity.github.io/httparmor/).\n2.  **Select a Preset**: Choose a starting template (e.g., \"Modern SPA\") that most closely matches your application.\n3.  **Customize Directives**: Manually enable, disable, or modify header values in the configuration panels. Invalid inputs will be flagged immediately.\n4.  **Review Guidance**: Observe the guidance panels for real-time recommendations and warnings about potentially insecure configurations (e.g., use of `'unsafe-inline'`).\n5.  **Copy \u0026 Deploy**: Click the \"Copy\" button to copy all active headers to your clipboard. Paste them into your web server's configuration file.\n\n---\n\n## Server Configuration Examples\n\nThe generated output is a list of HTTP headers. Below are examples of how to implement them in common web servers.\n\n### NGINX\n\nAdd the generated headers inside a `server` or `location` block in your `nginx.conf` or site-specific configuration file.\n\n```nginx\n# /etc/nginx/sites-available/your-site.conf\n\nserver {\n    listen 443 ssl http2;\n    listen [::]:443 ssl http2;\n    server_name your-domain.com;\n\n    # ... other configurations (ssl_certificate, etc.)\n\n    # Add Generated Headers Here\n    add_header Content-Security-Policy \"default-src 'self'; script-src 'self'; ...\";\n    add_header Strict-Transport-Security \"max-age=63072000; includeSubDomains\";\n    add_header X-Content-Type-Options \"nosniff\";\n    add_header Referrer-Policy \"strict-origin-when-cross-origin\";\n    # ... etc.\n\n    location / {\n        # ... proxy_pass or root directives\n    }\n}\n````\n\n### Apache\n\nAdd the generated headers to your `.htaccess` file or virtual host configuration (`\u003cVirtualHost\u003e`) using the `Header` directive. Ensure `mod_headers` is enabled.\n\n```apache\n# /var/www/html/.htaccess\n# Requires mod_headers to be enabled: a2enmod headers\n\nHeader set Content-Security-Policy \"default-src 'self'; script-src 'self'; ...\"\nHeader set Strict-Transport-Security \"max-age=63072000; includeSubDomains\"\nHeader set X-Content-Type-Options \"nosniff\"\nHeader set Referrer-Policy \"strict-origin-when-cross-origin\"\n# ... etc.\n```\n\n-----\n\n## Available Presets\n\n  - **Secure Default**: A strict, general-purpose configuration suitable for most modern web applications that do not use inline scripts or styles.\n  - **Modern SPA**: A preset tailored for Single Page Applications (e.g., React, Vue, Angular) which may require specific style or image source allowances.\n  - **Static Site**: A highly restrictive policy suitable for simple HTML/CSS/JS websites with no complex scripts or external dependencies.\n  - **WordPress**: A more permissive configuration to accommodate the common use of inline scripts and styles found in the WordPress ecosystem and its plugins.\n\n## Local Development\n\nNo build process is required. To run this application locally, clone the repository and serve the files with any simple web server.\n\n```sh\n# Clone the repository\ngit clone https://github.com/opensecurity/httparmor\ncd httparmor\n```\n\nOpen index.html with your browser.\n\n-----\n\n## Author\n\n**Lucian BLETAN**\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensecurity%2Fhttparmor","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fopensecurity%2Fhttparmor","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fopensecurity%2Fhttparmor/lists"}