Giter Site home page Giter Site logo

koenbuyens / securityheaders Goto Github PK

View Code? Open in Web Editor NEW
227.0 12.0 47.0 1.7 MB

Check any website (or set of websites) for insecure security headers.

License: Apache License 2.0

Python 99.90% Dockerfile 0.09% Shell 0.01%
http headers security csp content-security-policy hsts xframe-options referrer-policy feature-policy expect-ct

securityheaders's Issues

mulit-site functionality

I created the following bash script so your program can process multiple sites and output them all as text files and compress them.

#!/bin/bash

# Ask the user for the filename
echo "Please enter the filename:"
read filename

# Check if the file exists
if [ ! -f "$filename" ]; then
    echo "File not found!"
    exit 1
fi

# Create a results directory
mkdir -p results

# Read each line from the file
while IFS= read -r line
do
    # Split the line by ':' and get the first part
    host=${line%%:*}

    # Inform the user of the current progress
    echo "Processing $host"

    # Run the program with the host, remove ANSI colors and redirect output to a temporary file
    # The timeout command will terminate the python command if it runs for more than 30 seconds
    timeout 30 python3 ./securityheaders.py "$host" | sed 's/\x1b\[[0-9;]*m//g' > "${host}.tmp" 2>>errors.log

    # If the python command was terminated by the timeout command, print an error message
    if [ $? -eq 124 ]; then
        echo "Command timed out for host: $host" | tee -a errors.log
    fi

    # Check if the output file is zero size
    if [ ! -s "${host}.tmp" ]; then
        echo "$host file is zero size" >> logs.txt
        rm "${host}.tmp"
    else
        mv "${host}.tmp" "results/${host}.txt"
    fi
done < "$filename"

# Wait for all background processes to finish
wait

# Compress the results directory
zip -r results.zip results/

# Print a completion message
echo "Script completed successfully!"

Broken tests on CSP

Unittests on CSP are broken.

self.assertTrue(self.csphash.policyHasScriptHashes())
self.assertTrue(self.csphashcamel.policyHasScriptHashes())

These two are failing. because initialization of the class CSPDirective seems to get rid of second value in tuples such as CHILD_SRC. This causes a wrong handling of directives in camelCase.

I'm not sure to really understand why you define a tuple, but then use directive as a single value in functions such as getEffectiveDirective(). Could you provide some explanation ?

[BUG] follow_redirects doesn't work with Python 3

For example, results are not the same for http://google.com/ between version 2 and 3 of Python.

python securityheaders.py http://google.com/

Because with Python 3, the code doesn't follow redirections.

The error is located line 233 of securityheaders/securityheader.py.

The line:

                    if (header[0] == 'location'):

must be changed in:

                    if (header[0].lower() == 'location'):

Because, in version 3 of Python, header are not in lower case.

Pull request: #10.

Parse headers separated by comma

As stated in the RFC 2616, header values should be separated by comma and not semicolon.

Even if the majority of values appears to be separated by semicolon, it's not always the case thus these values are considered unknown.

add Cross-Origin-Embedder-Policy and Cross-Origin-Opener-Policy check

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy

https://http.dev/cross-origin-embedder-policy

https://http.dev/cross-origin-opener-policy

https://udn.realityripple.com/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy

COOP will process-isolate your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.

The root cause of most XS-Leaks is inherent to the design of the web. Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites. For this reason, browsers are now implementing various Defense Mechanisms to overcome these difficulties. Many of these defenses require websites to opt in to a more restrictive security model, usually through the use of certain HTTP headers (e.g. Cross-Origin-Opener-Policy: same-origin), which often must be combined to achieve the desired outcome.

Needs to be update the tabulate on python 3.10

Hi,

If somebody is still using this, and needs to use python 3.10, then this will popup:

python3 ./securityheaders.py                                                                                                                                                  ─╯
Traceback (most recent call last):
  File "/root/securityheaders/./securityheaders.py", line 6, in <module>
    import securityheaders.command_line
  File "/root/securityheaders/securityheaders/__init__.py", line 11, in <module>
    from .securityheader import SecurityHeaders
  File "/root/securityheaders/securityheaders/securityheader.py", line 22, in <module>
    from securityheaders.formatters import FindingFormatterFactory
  File "/root/securityheaders/securityheaders/formatters/__init__.py", line 1, in <module>
    from .findingformatterfactory import FindingFormatterFactory, FindingFormatter, FindingFormatterTabulated, FindingFormatterCSV
  File "/root/securityheaders/securityheaders/formatters/findingformatterfactory.py", line 5, in <module>
    from tabulate import tabulate
  File "/usr/local/lib/python3.10/dist-packages/tabulate.py", line 16, in <module>
    from collections import Iterable
ImportError: cannot import name 'Iterable' from 'collections' (/usr/lib/python3.10/collections/__init__.py)

You needs to update the requirements.txt and install tabulate 0.9.0. It fix the problem:

diff --git a/requirements.txt b/requirements.txt
index 6b25e6e..41a1b17 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,4 +3,4 @@ argcomplete==1.9.4
 enum34==1.1.6
 ipaddress==1.0.22
 six==1.11.0
-tabulate==0.8.2
+tabulate==0.9.0

pip install -r requirements.txt                                                                                                                                               ─╯
Requirement already satisfied: anytree==2.4.3 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 1)) (2.4.3)
Requirement already satisfied: argcomplete==1.9.4 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 2)) (1.9.4)
Requirement already satisfied: enum34==1.1.6 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 3)) (1.1.6)
Requirement already satisfied: ipaddress==1.0.22 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 4)) (1.0.22)
Requirement already satisfied: six==1.11.0 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 5)) (1.11.0)
Collecting tabulate==0.9.0
  Downloading tabulate-0.9.0-py3-none-any.whl (35 kB)
Installing collected packages: tabulate
  Attempting uninstall: tabulate
    Found existing installation: tabulate 0.8.5
    Uninstalling tabulate-0.8.5:
      Successfully uninstalled tabulate-0.8.5
Successfully installed tabulate-0.9.0

python ./securityheaders.py                                                                                                                                                   ─╯
usage: securityheaders.py [-h] [--listcheckers] [--listformatters] [--listheaders] [--headers HEADERS] [--response RESPONSE] [--defaultscheme https] [--max-redirects 2]
                          [--config ./conf/app.conf] [--urlcolumn 0] [--startrow 0] [--screen] [--file ./tmp] [--formatter Tabulate] [--flatten]
                          [--skipcheckers [checkername ...]] [--checkers [Checker ...]]
                          [URL ...]

Dependency conflict in stone & six

The version of 'stone' in my installation requires a version of 'six' that's equal to or greater than 1.12.0. Your requirements.txt has the 5 year old 1.11.0. Please consider bumping the version or creating laxer version requirements like a minimum version or a fixed major version.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.