An open API service indexing awesome lists of open source software.

https://github.com/911abaddon/securityheaderx

Instant web security analysis: detect vulnerabilities in HTTP headers, TLS, and CORS with a single scan
https://github.com/911abaddon/securityheaderx

api-security appsec cloud-security container-security cybersecurity devsecops http-headers javascript nodejs owasp penetration-testing privacy security security-headers security-tools web-security

Last synced: about 1 month ago
JSON representation

Instant web security analysis: detect vulnerabilities in HTTP headers, TLS, and CORS with a single scan

Awesome Lists containing this project

README

        

# SecurityHeaderX



![Version](https://img.shields.io/badge/version-1.0.0-blue.svg)
![License](https://img.shields.io/badge/license-MIT-green.svg)
![Node](https://img.shields.io/badge/node-%3E%3D14.16-brightgreen.svg)

A comprehensive web security analysis tool focused on detecting HTTP security header vulnerabilities and providing actionable remediation steps. SecurityHeaderX helps developers and security professionals identify and fix security misconfigurations in web applications.

## ✨ Features

- πŸ” **Security Header Analysis**: Thorough scanning of HTTP security headers with detailed findings
- πŸ“Š **Risk Scoring**: Security grade assessment based on OWASP recommendations
- πŸ” **TLS/SSL Verification**: (Coming Soon) Analyze TLS configurations for vulnerabilities
- 🚨 **Remediation Guidance**: Clear instructions for fixing identified issues
- πŸ“ **Multiple Report Formats**: Console, HTML, and JSON reports
- πŸ”§ **Customizable**: Configurable scanning profiles for different security requirements
- πŸ”„ **API Support**: (Coming Soon) REST API for integration with CI/CD pipelines

## πŸš€ Installation

```bash
# Clone the repository
git clone https://github.com/911Abaddon/SecurityHeaderX.git

# Navigate to the project directory
cd SecurityHeaderX

# Install dependencies
npm install
```

## πŸ“‹ Usage

### Command Line Interface

Scan a website for security headers:

```bash
node index.js https://example.com
```

With additional options:

```bash
# Generate HTML and JSON reports
node index.js https://example.com --reports

# Enable verbose output
node index.js https://example.com --verbose
```

### Programmatic Usage

```javascript
const securityHeaderX = require('./index');

// Scan a URL and get results
async function scanWebsite() {
const results = await securityHeaderX.scanUrl('https://example.com');
console.log(results);
}

// Generate reports
async function generateReports() {
const reportResult = await securityHeaderX.scanAndGenerateReports('https://example.com');
console.log(`Reports saved to: ${reportResult.reports.html}`);
}

scanWebsite();
```

## πŸ“Š Security Headers Analyzed

SecurityHeaderX thoroughly analyzes the following HTTP security headers:

| Header | Description | Security Impact |
|--------|-------------|----------------|
| Content-Security-Policy | Controls resources the browser can load | Critical - Prevents XSS |
| Strict-Transport-Security | Forces HTTPS connections | Critical - Prevents MITM attacks |
| X-Content-Type-Options | Prevents MIME-sniffing | High - Prevents content-type attacks |
| X-Frame-Options | Controls framing of the page | High - Prevents clickjacking |
| Referrer-Policy | Controls referrer information | Medium - Prevents information leakage |
| Permissions-Policy | Restricts browser features | Medium - Reduces attack surface |
| X-XSS-Protection | Enables browser XSS filtering | Medium - Additional XSS protection |
| Cache-Control | Controls browser caching | Medium - Prevents sensitive data exposure |

## πŸ› οΈ Project Structure

```
SecurityHeaderX/
β”œβ”€β”€ api/ # REST API server
β”‚ └── routes/ # API endpoints
β”œβ”€β”€ cli/ # Command line interface
β”œβ”€β”€ config/ # Configuration files
β”‚ β”œβ”€β”€ compliance/ # Security standards (NIST, OWASP, PCI)
β”‚ └── default.js # Default configuration
β”œβ”€β”€ docs/ # Documentation
β”œβ”€β”€ src/
β”‚ β”œβ”€β”€ analyzers/ # Specialized analyzers
β”‚ β”œβ”€β”€ core/ # Core functionality
β”‚ β”œβ”€β”€ headers/ # Header modules
β”‚ β”œβ”€β”€ remediation/ # Remediation suggestions
β”‚ β”œβ”€β”€ reports/ # Report generators
β”‚ └── utils/ # Utility functions
β”œβ”€β”€ tests/ # Test files
β”œβ”€β”€ index.js # Main entry point
└── package.json # Project metadata
```

## πŸ§ͺ Development

Run tests:

```bash
npm test
```

Run tests with coverage:

```bash
npm run test:coverage
```

## πŸ“ Sample Report

SecurityHeaderX generates comprehensive reports with findings categorized by severity:

```
πŸ“Š SECURITY HEADER SCAN RESULTS
--------------------------------------------------
URL: https://example.com
Status: 200
Score: 65/100 (Grade C)
Scan Time: May 4, 2025, 10:15:00 AM
--------------------------------------------------

❌ MISSING HEADERS (3)
HIGH SEVERITY ISSUES (1):
Content-Security-Policy (CSP)
Description: Controls resources the browser is allowed to load
Recommendation: Add Content-Security-Policy header with appropriate directives

MEDIUM SEVERITY ISSUES (2):
Referrer-Policy
Description: Controls how much referrer information should be included with requests
Recommendation: Add "Referrer-Policy: strict-origin-when-cross-origin" header

Permissions-Policy
Description: Controls which browser features can be used on the page
Recommendation: Implement a Permissions-Policy to restrict unnecessary features

⚠️ MISCONFIGURED HEADERS (1)
HIGH SEVERITY ISSUES (1):
Strict-Transport-Security (HSTS)
Current Value: max-age=15768000
Issue: HSTS max-age is less than 1 year
Recommendation: Increase max-age to at least 31536000 (1 year)
```

## πŸ—ΊοΈ Roadmap

- [x] HTTP security header analysis
- [x] Multiple report formats (Console, HTML, JSON)
- [ ] TLS/SSL verification
- [ ] API security assessment
- [ ] Web UI for interactive scanning
- [ ] CI/CD integration
- [ ] Custom scan profiles
- [ ] Docker containerization

## 🀝 Contributing

Contributions are welcome! Feel free to submit a Pull Request.

1. Fork the repository
2. Create your feature branch (`git checkout -b feature/amazing-feature`)
3. Commit your changes (`git commit -m 'Add some amazing feature'`)
4. Push to the branch (`git push origin feature/amazing-feature`)
5. Open a Pull Request

## πŸ“„ License

This project is licensed under the MIT License - see the LICENSE file for details.

## πŸ™ Acknowledgements

- [OWASP Secure Headers Project](https://owasp.org/www-project-secure-headers/)
- [Mozilla Observatory](https://observatory.mozilla.org/)
- [SecurityHeaders.com](https://securityheaders.com/)