https://github.com/vigneshoffsec/http-header-analyzer
A Python-based HTTP security header analyzer that identifies weak or missing policies (CSP, HSTS, XFO, etc.) and generates OWASP-aligned remediation reports.
https://github.com/vigneshoffsec/http-header-analyzer
appsec blue-team http-security owasp pentesting python secure-configuration security-automation security-headers web-security
Last synced: 29 days ago
JSON representation
A Python-based HTTP security header analyzer that identifies weak or missing policies (CSP, HSTS, XFO, etc.) and generates OWASP-aligned remediation reports.
- Host: GitHub
- URL: https://github.com/vigneshoffsec/http-header-analyzer
- Owner: vigneshoffsec
- License: mit
- Created: 2025-11-14T03:56:01.000Z (4 months ago)
- Default Branch: main
- Last Pushed: 2025-11-14T04:25:07.000Z (4 months ago)
- Last Synced: 2025-11-14T05:35:38.369Z (4 months ago)
- Topics: appsec, blue-team, http-security, owasp, pentesting, python, secure-configuration, security-automation, security-headers, web-security
- Language: Python
- Homepage:
- Size: 1.9 MB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# ๐ก๏ธ HTTP Header Analyzer (Advanced AppSec Tool)
A Python-based **HTTP security header auditing tool** that identifies weak or missing security headers across one or more web applications.
It generates **OWASP-aligned remediation guidance**, severity ratings, and exports **JSON + HTML reports** suitable for AppSec teams, vulnerability assessments, and developer handoff.
This tool automates the security header review process and accelerates security assessments.
---
# ๐ Project Structure
```
http-header-analyzer/
โโโ src/
โ โโโ header_analyzer.py
โโโ reports/
โ โโโ .gitkeep
โโโ wordlists/
โ โโโ .gitkeep
โโโ README.md
โโโ LICENSE
```
---
# ๐ Features
### โ Full Security Header Evaluation
Checks for the industry-standard security headers:
* **Content-Security-Policy (CSP)**
* **Strict-Transport-Security (HSTS)**
* **X-Frame-Options**
* **X-Content-Type-Options**
* **Referrer-Policy**
* **Permissions-Policy**
### โ OWASP-Aligned Remediation
Each missing header includes:
* Severity (HIGH / MEDIUM / LOW)
* Description
* Recommended fix aligned with OWASP best practices
### โ Multi-Target Scanning
Scan:
* A single URL
* Multiple URLs
* A `.txt` file containing URLs
### โ JSON + HTML Reporting
Automatically generates:
* JSON report (`header-report-*.json`)
* HTML report (`header-report-*.html`)
Ideal for client deliverables.
### โ Colorized CLI Output
Clear and readable terminal output with severity-based highlighting.
### โ Domain Normalization
URLs automatically corrected to `https://` when needed.
---
# ๐งช Usage
### **Scan a Single Target**
```bash
python3 src/header_analyzer.py https://example.com
```
### **Scan Multiple Targets**
```bash
python3 src/header_analyzer.py https://site1.com https://site2.org https://site3.net
```
### **Scan from URL List File**
`targets.txt`:
```
https://example.com
https://app.test.com
https://login.internal
```
Run:
```bash
python3 src/header_analyzer.py targets.txt
```
---
# ๐ค Example Console Output
```
=== https://example.com ===
Status: 200
[+] Content-Security-Policy (OK)
[-] Strict-Transport-Security MISSING | Severity: HIGH
[-] X-Frame-Options MISSING | Severity: MEDIUM
```
---
# ๐งพ Example Report Files
Inside `/reports/`:
```
header-report-20251114-153210.json
header-report-20251114-153210.html
```
---
# ๐ How It Works (Internals)
### 1. Normalize URL
Ensures `http://` or `https://` prefix is applied automatically.
### 2. Fetch HTTP Response
Uses a modern User-Agent and timeout protection.
### 3. Header Evaluation
For each of the 6 key security headers:
* Check presence
* Identify severity
* Provide OWASP remediation text
### 4. Structured Results
Stores:
* Present headers
* Missing headers
* Raw header dump
* Status code
### 5. Report Generation
Creates:
* JSON structured report
* HTML formatted table with severity coloring
---
# ๐ Severity Ratings
| Severity | Meaning |
| ---------- | ------------------------------------------------------------- |
| **HIGH** | Critical header missing; high exploitability (CSP, HSTS) |
| **MEDIUM** | Important but not critical (XFO, X-Content-Type-Options) |
| **LOW** | Best-practice hardening (Referrer-Policy, Permissions-Policy) |
---
# ๐งฉ OWASP Remediation Mapping
The tool follows OWASP best practices for headers:
* **CSP:** Prevents XSS & injection
* **HSTS:** Prevents downgrade attacks
* **XFO:** Stops clickjacking
* **XCTO:** Prevents MIME sniffing
* **Referrer-Policy:** Reduces data leakage
* **Permissions-Policy:** Restricts browser features
---
# ๐ Example HTML Report Preview
(Automatically generated)
```
+--------------------------------------------------------------+
| HTTP Security Header Report |
+--------------------------------------------------------------+
| URL: https://example.com |
| Status: 200 |
|--------------------------------------------------------------|
| Missing Headers: |
| HSTS โ HIGH severity โ remediation text... |
| X-Frame-Options โ MEDIUM severity โ remediation text... |
| Present Headers: |
| Content-Security-Policy โ HIGH severity (OK) |
+--------------------------------------------------------------+
```
---
# ๐ Roadmap / Future Enhancements
* Scan recursion for pages discovered via sitemap
* CSP quality scoring
* Response header entropy checks
* Policy misconfiguration detection
* Passive fingerprinting detection
---
# ๐งโโ๏ธ Ethical Disclaimer
This tool is intended for **authorized security testing and educational use only**.
Analyzing systems without permission is **illegal** and unethical.
---
# ๐จโ๐ป Author
**Vignesh Mani**
Offensive Security Researcher
GitHub: [https://github.com/vigneshoffsec](https://github.com/vigneshoffsec)
LinkedIn: [https://linkedin.com/in/vignesh-m17](https://linkedin.com/in/vignesh-m17)