koenbuyens / securityheaders Goto Github PK
View Code? Open in Web Editor NEWCheck any website (or set of websites) for insecure security headers.
License: Apache License 2.0
Check any website (or set of websites) for insecure security headers.
License: Apache License 2.0
I created the following bash script so your program can process multiple sites and output them all as text files and compress them.
#!/bin/bash
# Ask the user for the filename
echo "Please enter the filename:"
read filename
# Check if the file exists
if [ ! -f "$filename" ]; then
echo "File not found!"
exit 1
fi
# Create a results directory
mkdir -p results
# Read each line from the file
while IFS= read -r line
do
# Split the line by ':' and get the first part
host=${line%%:*}
# Inform the user of the current progress
echo "Processing $host"
# Run the program with the host, remove ANSI colors and redirect output to a temporary file
# The timeout command will terminate the python command if it runs for more than 30 seconds
timeout 30 python3 ./securityheaders.py "$host" | sed 's/\x1b\[[0-9;]*m//g' > "${host}.tmp" 2>>errors.log
# If the python command was terminated by the timeout command, print an error message
if [ $? -eq 124 ]; then
echo "Command timed out for host: $host" | tee -a errors.log
fi
# Check if the output file is zero size
if [ ! -s "${host}.tmp" ]; then
echo "$host file is zero size" >> logs.txt
rm "${host}.tmp"
else
mv "${host}.tmp" "results/${host}.txt"
fi
done < "$filename"
# Wait for all background processes to finish
wait
# Compress the results directory
zip -r results.zip results/
# Print a completion message
echo "Script completed successfully!"
If so any plans to add new Feature Policy headers support?
Unittests on CSP are broken.
self.assertTrue(self.csphash.policyHasScriptHashes())
self.assertTrue(self.csphashcamel.policyHasScriptHashes())
These two are failing. because initialization of the class CSPDirective
seems to get rid of second value in tuples such as CHILD_SRC
. This causes a wrong handling of directives in camelCase.
I'm not sure to really understand why you define a tuple, but then use directive
as a single value in functions such as getEffectiveDirective()
. Could you provide some explanation ?
For example, results are not the same for http://google.com/
between version 2 and 3 of Python.
python securityheaders.py http://google.com/
Because with Python 3, the code doesn't follow redirections.
The error is located line 233 of securityheaders/securityheader.py.
The line:
if (header[0] == 'location'):
must be changed in:
if (header[0].lower() == 'location'):
Because, in version 3 of Python, header are not in lower case.
Pull request: #10.
As stated in the RFC 2616, header values should be separated by comma and not semicolon.
Even if the majority of values appears to be separated by semicolon, it's not always the case thus these values are considered unknown.
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Cross-Origin-Embedder-Policy
https://http.dev/cross-origin-embedder-policy
https://http.dev/cross-origin-opener-policy
https://udn.realityripple.com/docs/Web/HTTP/Headers/Cross-Origin-Opener-Policy
COOP will process-isolate your document and potential attackers can't access to your global object if they were opening it in a popup, preventing a set of cross-origin attacks dubbed XS-Leaks.
The root cause of most XS-Leaks is inherent to the design of the web. Oftentimes applications are vulnerable to some cross-site information leaks without having done anything wrong. It is challenging to fix the root cause of XS-Leaks at the browser level because in many cases doing so would break existing websites. For this reason, browsers are now implementing various Defense Mechanisms to overcome these difficulties. Many of these defenses require websites to opt in to a more restrictive security model, usually through the use of certain HTTP headers (e.g. Cross-Origin-Opener-Policy: same-origin), which often must be combined to achieve the desired outcome.
Hi,
If somebody is still using this, and needs to use python 3.10, then this will popup:
python3 ./securityheaders.py ─╯
Traceback (most recent call last):
File "/root/securityheaders/./securityheaders.py", line 6, in <module>
import securityheaders.command_line
File "/root/securityheaders/securityheaders/__init__.py", line 11, in <module>
from .securityheader import SecurityHeaders
File "/root/securityheaders/securityheaders/securityheader.py", line 22, in <module>
from securityheaders.formatters import FindingFormatterFactory
File "/root/securityheaders/securityheaders/formatters/__init__.py", line 1, in <module>
from .findingformatterfactory import FindingFormatterFactory, FindingFormatter, FindingFormatterTabulated, FindingFormatterCSV
File "/root/securityheaders/securityheaders/formatters/findingformatterfactory.py", line 5, in <module>
from tabulate import tabulate
File "/usr/local/lib/python3.10/dist-packages/tabulate.py", line 16, in <module>
from collections import Iterable
ImportError: cannot import name 'Iterable' from 'collections' (/usr/lib/python3.10/collections/__init__.py)
You needs to update the requirements.txt and install tabulate 0.9.0. It fix the problem:
diff --git a/requirements.txt b/requirements.txt
index 6b25e6e..41a1b17 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -3,4 +3,4 @@ argcomplete==1.9.4
enum34==1.1.6
ipaddress==1.0.22
six==1.11.0
-tabulate==0.8.2
+tabulate==0.9.0
pip install -r requirements.txt ─╯
Requirement already satisfied: anytree==2.4.3 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 1)) (2.4.3)
Requirement already satisfied: argcomplete==1.9.4 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 2)) (1.9.4)
Requirement already satisfied: enum34==1.1.6 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 3)) (1.1.6)
Requirement already satisfied: ipaddress==1.0.22 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 4)) (1.0.22)
Requirement already satisfied: six==1.11.0 in /usr/local/lib/python3.10/dist-packages (from -r requirements.txt (line 5)) (1.11.0)
Collecting tabulate==0.9.0
Downloading tabulate-0.9.0-py3-none-any.whl (35 kB)
Installing collected packages: tabulate
Attempting uninstall: tabulate
Found existing installation: tabulate 0.8.5
Uninstalling tabulate-0.8.5:
Successfully uninstalled tabulate-0.8.5
Successfully installed tabulate-0.9.0
python ./securityheaders.py ─╯
usage: securityheaders.py [-h] [--listcheckers] [--listformatters] [--listheaders] [--headers HEADERS] [--response RESPONSE] [--defaultscheme https] [--max-redirects 2]
[--config ./conf/app.conf] [--urlcolumn 0] [--startrow 0] [--screen] [--file ./tmp] [--formatter Tabulate] [--flatten]
[--skipcheckers [checkername ...]] [--checkers [Checker ...]]
[URL ...]
The version of 'stone' in my installation requires a version of 'six' that's equal to or greater than 1.12.0. Your requirements.txt has the 5 year old 1.11.0. Please consider bumping the version or creating laxer version requirements like a minimum version or a fixed major version.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.