https://github.com/911abaddon/securityheaderx
Instant web security analysis: detect vulnerabilities in HTTP headers, TLS, and CORS with a single scan
https://github.com/911abaddon/securityheaderx
api-security appsec cloud-security container-security cybersecurity devsecops http-headers javascript nodejs owasp penetration-testing privacy security security-headers security-tools web-security
Last synced: about 1 month ago
JSON representation
Instant web security analysis: detect vulnerabilities in HTTP headers, TLS, and CORS with a single scan
- Host: GitHub
- URL: https://github.com/911abaddon/securityheaderx
- Owner: 911Abaddon
- License: other
- Created: 2025-05-04T15:16:15.000Z (about 1 month ago)
- Default Branch: main
- Last Pushed: 2025-05-04T16:00:27.000Z (about 1 month ago)
- Last Synced: 2025-05-04T16:31:26.555Z (about 1 month ago)
- Topics: api-security, appsec, cloud-security, container-security, cybersecurity, devsecops, http-headers, javascript, nodejs, owasp, penetration-testing, privacy, security, security-headers, security-tools, web-security
- Language: JavaScript
- Homepage:
- Size: 80.1 KB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: security-header-checker.js
Awesome Lists containing this project
README
# SecurityHeaderX


A comprehensive web security analysis tool focused on detecting HTTP security header vulnerabilities and providing actionable remediation steps. SecurityHeaderX helps developers and security professionals identify and fix security misconfigurations in web applications.
## β¨ Features
- π **Security Header Analysis**: Thorough scanning of HTTP security headers with detailed findings
- π **Risk Scoring**: Security grade assessment based on OWASP recommendations
- π **TLS/SSL Verification**: (Coming Soon) Analyze TLS configurations for vulnerabilities
- π¨ **Remediation Guidance**: Clear instructions for fixing identified issues
- π **Multiple Report Formats**: Console, HTML, and JSON reports
- π§ **Customizable**: Configurable scanning profiles for different security requirements
- π **API Support**: (Coming Soon) REST API for integration with CI/CD pipelines## π Installation
```bash
# Clone the repository
git clone https://github.com/911Abaddon/SecurityHeaderX.git# Navigate to the project directory
cd SecurityHeaderX# Install dependencies
npm install
```## π Usage
### Command Line Interface
Scan a website for security headers:
```bash
node index.js https://example.com
```With additional options:
```bash
# Generate HTML and JSON reports
node index.js https://example.com --reports# Enable verbose output
node index.js https://example.com --verbose
```### Programmatic Usage
```javascript
const securityHeaderX = require('./index');// Scan a URL and get results
async function scanWebsite() {
const results = await securityHeaderX.scanUrl('https://example.com');
console.log(results);
}// Generate reports
async function generateReports() {
const reportResult = await securityHeaderX.scanAndGenerateReports('https://example.com');
console.log(`Reports saved to: ${reportResult.reports.html}`);
}scanWebsite();
```## π Security Headers Analyzed
SecurityHeaderX thoroughly analyzes the following HTTP security headers:
| Header | Description | Security Impact |
|--------|-------------|----------------|
| Content-Security-Policy | Controls resources the browser can load | Critical - Prevents XSS |
| Strict-Transport-Security | Forces HTTPS connections | Critical - Prevents MITM attacks |
| X-Content-Type-Options | Prevents MIME-sniffing | High - Prevents content-type attacks |
| X-Frame-Options | Controls framing of the page | High - Prevents clickjacking |
| Referrer-Policy | Controls referrer information | Medium - Prevents information leakage |
| Permissions-Policy | Restricts browser features | Medium - Reduces attack surface |
| X-XSS-Protection | Enables browser XSS filtering | Medium - Additional XSS protection |
| Cache-Control | Controls browser caching | Medium - Prevents sensitive data exposure |## π οΈ Project Structure
```
SecurityHeaderX/
βββ api/ # REST API server
β βββ routes/ # API endpoints
βββ cli/ # Command line interface
βββ config/ # Configuration files
β βββ compliance/ # Security standards (NIST, OWASP, PCI)
β βββ default.js # Default configuration
βββ docs/ # Documentation
βββ src/
β βββ analyzers/ # Specialized analyzers
β βββ core/ # Core functionality
β βββ headers/ # Header modules
β βββ remediation/ # Remediation suggestions
β βββ reports/ # Report generators
β βββ utils/ # Utility functions
βββ tests/ # Test files
βββ index.js # Main entry point
βββ package.json # Project metadata
```## π§ͺ Development
Run tests:
```bash
npm test
```Run tests with coverage:
```bash
npm run test:coverage
```## π Sample Report
SecurityHeaderX generates comprehensive reports with findings categorized by severity:
```
π SECURITY HEADER SCAN RESULTS
--------------------------------------------------
URL: https://example.com
Status: 200
Score: 65/100 (Grade C)
Scan Time: May 4, 2025, 10:15:00 AM
--------------------------------------------------β MISSING HEADERS (3)
HIGH SEVERITY ISSUES (1):
Content-Security-Policy (CSP)
Description: Controls resources the browser is allowed to load
Recommendation: Add Content-Security-Policy header with appropriate directivesMEDIUM SEVERITY ISSUES (2):
Referrer-Policy
Description: Controls how much referrer information should be included with requests
Recommendation: Add "Referrer-Policy: strict-origin-when-cross-origin" header
Permissions-Policy
Description: Controls which browser features can be used on the page
Recommendation: Implement a Permissions-Policy to restrict unnecessary featuresβ οΈ MISCONFIGURED HEADERS (1)
HIGH SEVERITY ISSUES (1):
Strict-Transport-Security (HSTS)
Current Value: max-age=15768000
Issue: HSTS max-age is less than 1 year
Recommendation: Increase max-age to at least 31536000 (1 year)
```## πΊοΈ Roadmap
- [x] HTTP security header analysis
- [x] Multiple report formats (Console, HTML, JSON)
- [ ] TLS/SSL verification
- [ ] API security assessment
- [ ] Web UI for interactive scanning
- [ ] CI/CD integration
- [ ] Custom scan profiles
- [ ] Docker containerization## π€ Contributing
Contributions are welcome! Feel free to submit a Pull Request.
1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request## π License
This project is licensed under the MIT License - see the LICENSE file for details.
## π Acknowledgements
- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
- [Mozilla Observatory](https://observatory.mozilla.org/)
- [SecurityHeaders.com](https://securityheaders.com/)