{"id":45896907,"url":"https://github.com/vigneshoffsec/http-header-analyzer","last_synced_at":"2026-02-27T21:01:00.219Z","repository":{"id":324154367,"uuid":"1096186574","full_name":"vigneshoffsec/http-header-analyzer","owner":"vigneshoffsec","description":"A Python-based HTTP security header analyzer that identifies weak or missing policies (CSP, HSTS, XFO, etc.) and generates OWASP-aligned remediation reports.","archived":false,"fork":false,"pushed_at":"2025-11-14T04:25:07.000Z","size":1995,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-11-14T05:35:38.369Z","etag":null,"topics":["appsec","blue-team","http-security","owasp","pentesting","python","secure-configuration","security-automation","security-headers","web-security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/vigneshoffsec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-11-14T03:56:01.000Z","updated_at":"2025-11-14T04:25:10.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/vigneshoffsec/http-header-analyzer","commit_stats":null,"previous_names":["vigneshoffsec/http-header-analyzer"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/vigneshoffsec/http-header-analyzer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigneshoffsec%2Fhttp-header-analyzer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigneshoffsec%2Fhttp-header-analyzer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigneshoffsec%2Fhttp-header-analyzer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigneshoffsec%2Fhttp-header-analyzer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/vigneshoffsec","download_url":"https://codeload.github.com/vigneshoffsec/http-header-analyzer/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/vigneshoffsec%2Fhttp-header-analyzer/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":29913643,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-02-27T19:37:42.220Z","status":"ssl_error","status_checked_at":"2026-02-27T19:37:41.463Z","response_time":57,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","blue-team","http-security","owasp","pentesting","python","secure-configuration","security-automation","security-headers","web-security"],"created_at":"2026-02-27T21:00:58.164Z","updated_at":"2026-02-27T21:01:00.213Z","avatar_url":"https://github.com/vigneshoffsec.png","language":"Python","readme":"# 🛡️ HTTP Header Analyzer (Advanced AppSec Tool)\n\nA Python-based **HTTP security header auditing tool** that identifies weak or missing security headers across one or more web applications.\nIt generates **OWASP-aligned remediation guidance**, severity ratings, and exports **JSON + HTML reports** suitable for AppSec teams, vulnerability assessments, and developer handoff.\n\nThis tool automates the security header review process and accelerates security assessments.\n\n---\n\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"assets/HTTP Header Analyzer.png\" width=\"600\"\u003e\n\u003c/p\u003e\n\u003cbr\u003e\n\u003cp align=\"center\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/status-active-brightgreen\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/language-python-blue\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/type-offensive%20security-red\"\u003e\n  \u003cimg src=\"https://img.shields.io/badge/license-MIT-yellow\"\u003e\n\u003c/p\u003e\n\n# 📂 Project Structure\n\n```\nhttp-header-analyzer/\n│── src/\n│   └── header_analyzer.py\n│── reports/\n│   └── .gitkeep\n│── wordlists/\n│   └── .gitkeep\n│── README.md\n│── LICENSE\n```\n\n---\n\n# 🚀 Features\n\n### ✔ Full Security Header Evaluation\n\nChecks for the industry-standard security headers:\n\n* **Content-Security-Policy (CSP)**\n* **Strict-Transport-Security (HSTS)**\n* **X-Frame-Options**\n* **X-Content-Type-Options**\n* **Referrer-Policy**\n* **Permissions-Policy**\n\n### ✔ OWASP-Aligned Remediation\n\nEach missing header includes:\n\n* Severity (HIGH / MEDIUM / LOW)\n* Description\n* Recommended fix aligned with OWASP best practices\n\n### ✔ Multi-Target Scanning\n\nScan:\n\n* A single URL\n* Multiple URLs\n* A `.txt` file containing URLs\n\n### ✔ JSON + HTML Reporting\n\nAutomatically generates:\n\n* JSON report (`header-report-*.json`)\n* HTML report (`header-report-*.html`)\n\nIdeal for client deliverables.\n\n### ✔ Colorized CLI Output\n\nClear and readable terminal output with severity-based highlighting.\n\n### ✔ Domain Normalization\n\nURLs automatically corrected to `https://` when needed.\n\n---\n\n# 🧪 Usage\n\n### **Scan a Single Target**\n\n```bash\npython3 src/header_analyzer.py https://example.com\n```\n\n### **Scan Multiple Targets**\n\n```bash\npython3 src/header_analyzer.py https://site1.com https://site2.org https://site3.net\n```\n\n### **Scan from URL List File**\n\n`targets.txt`:\n\n```\nhttps://example.com\nhttps://app.test.com\nhttps://login.internal\n```\n\nRun:\n\n```bash\npython3 src/header_analyzer.py targets.txt\n```\n\n---\n\n# 📤 Example Console Output\n\n```\n=== https://example.com ===\nStatus: 200\n\n[+] Content-Security-Policy (OK)\n[-] Strict-Transport-Security MISSING | Severity: HIGH\n[-] X-Frame-Options MISSING | Severity: MEDIUM\n```\n\n---\n\n# 🧾 Example Report Files\n\nInside `/reports/`:\n\n```\nheader-report-20251114-153210.json\nheader-report-20251114-153210.html\n```\n\n---\n\n# 🛠 How It Works (Internals)\n\n### 1. Normalize URL\n\nEnsures `http://` or `https://` prefix is applied automatically.\n\n### 2. Fetch HTTP Response\n\nUses a modern User-Agent and timeout protection.\n\n### 3. Header Evaluation\n\nFor each of the 6 key security headers:\n\n* Check presence\n* Identify severity\n* Provide OWASP remediation text\n\n### 4. Structured Results\n\nStores:\n\n* Present headers\n* Missing headers\n* Raw header dump\n* Status code\n\n### 5. Report Generation\n\nCreates:\n\n* JSON structured report\n* HTML formatted table with severity coloring\n\n---\n\n# 📈 Severity Ratings\n\n| Severity   | Meaning                                                       |\n| ---------- | ------------------------------------------------------------- |\n| **HIGH**   | Critical header missing; high exploitability (CSP, HSTS)      |\n| **MEDIUM** | Important but not critical (XFO, X-Content-Type-Options)      |\n| **LOW**    | Best-practice hardening (Referrer-Policy, Permissions-Policy) |\n\n---\n\n# 🧩 OWASP Remediation Mapping\n\nThe tool follows OWASP best practices for headers:\n\n* **CSP:** Prevents XSS \u0026 injection\n* **HSTS:** Prevents downgrade attacks\n* **XFO:** Stops clickjacking\n* **XCTO:** Prevents MIME sniffing\n* **Referrer-Policy:** Reduces data leakage\n* **Permissions-Policy:** Restricts browser features\n\n---\n\n# 📌 Example HTML Report Preview\n\n(Automatically generated)\n\n```\n+--------------------------------------------------------------+\n|               HTTP Security Header Report                    |\n+--------------------------------------------------------------+\n| URL: https://example.com                                     |\n| Status: 200                                                  |\n|--------------------------------------------------------------|\n| Missing Headers:                                             |\n|    HSTS – HIGH severity – remediation text...                |\n|    X-Frame-Options – MEDIUM severity – remediation text...   |\n| Present Headers:                                             |\n|    Content-Security-Policy – HIGH severity (OK)             |\n+--------------------------------------------------------------+\n```\n\n---\n\n# 📌 Roadmap / Future Enhancements\n\n* Scan recursion for pages discovered via sitemap\n* CSP quality scoring\n* Response header entropy checks\n* Policy misconfiguration detection\n* Passive fingerprinting detection\n\n---\n\n# 🧑‍⚖️ Ethical Disclaimer\n\nThis tool is intended for **authorized security testing and educational use only**.\nAnalyzing systems without permission is **illegal** and unethical.\n\n---\n\n# 👨‍💻 Author\n\n**Vignesh Mani**\nOffensive Security Researcher\nGitHub: [https://github.com/vigneshoffsec](https://github.com/vigneshoffsec)\nLinkedIn: [https://linkedin.com/in/vignesh-m17](https://linkedin.com/in/vignesh-m17)\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvigneshoffsec%2Fhttp-header-analyzer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fvigneshoffsec%2Fhttp-header-analyzer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fvigneshoffsec%2Fhttp-header-analyzer/lists"}