HTTP Headers Analyzer
"A journey of a thousand miles begins with a single step. - Lao Tzu"
"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"
Features
Screenshots
Installation & Update
Usage
Missing Headers Check
Fingerprint Headers Check
Insecure Values Check
Empty Values Check
Guidelines included
To-Do
Further Reading
Contribute
License
✔️ 14 checks of missing HTTP response headers.
✔️ 98 checks of fingerprinting through HTTP response headers.
✔️ 22 checks of HTTP response headers with values considered insecure.
✔️ Two types of analysis: brief and complete, along with HTTP response headers.
✔️ Export of analysis to html, pdf and txt.
✔️ PEP8 compliant code.
✔️ Tested on hundreds of URLs.
✔️ Fully tested on Windows (10 20H2 - 19042.985) and Linux (Kali 2021.1).
✔️ Permissive license (MIT).
✔️ Regularly updated.
.: Brief report (Windows)
.: Brief report and retrieved headers (Linux)
.: Full report (Linux)
.: Analysis exported to PDF. Example.
.: Analysis exported to HTML. Example.
NOTE: Python 3.5 or higher is required.
# install python3 and python3-pip if not exist
(Windows) https://www.python.org/downloads/windows/
(Linux) if not installed by default, install them via, e.g. Synaptic, apt, dnf, yum ...
# install git
(Windows) https://git-scm.com/download/win
(Linux) https://git-scm.com/download/linux
# clone the repository
$ git clone https://github.com/rfc-st/humble.git
# change the working directory to humble
$ cd humble
# install the requirements
$ pip3 install -r requirements.txt
# update humble (every couple of weeks, inside humble's working directory)
$ git pull
# or download the latest release
https://github.com/rfc-st/humble/releases(Windows) $ py humble.py
(Linux) $ python3 humble.py
usage: humble.py [-h] [-d DOMAIN] [-b] [-o {html,pdf,txt} [-r] [-g] [-v]
humble (HTTP Headers Analyzer) - https://github.com/rfc-st/humble
optional arguments:
-h, --help show this help message and exit
-d DOMAIN domain to analyze, including schema. E.g., https://google.com
-r show HTTP response headers and full analysis (with references and details)
-b show brief analysis (without references or details)
-o {html,pdf,txt} save analysis to file (domain_yyyymmdd.ext)
-g show guidelines on securing most used web servers/servicesShow / Hide
Cache-Control |
Clear-Site-Data |
Content-Security-Policy |
Cross-Origin-Embedder-Policy |
Cross-Origin-Opener-Policy |
Cross-Origin-Resource-Policy |
Expect-CT |
NEL |
Permissions-Policy |
Pragma |
Referrer-Policy |
Strict-Transport-Security |
X-Content-Type-Options |
X-Frame-Options |
|
Show / Hide
Composed-By |
Generator |
Hummingbird-Cache |
Liferay-Portal |
MicrosoftOfficeWebServer |
MicrosoftSharePointTeamServices |
MS-Author-Via |
Oracle-Mobile-Runtime-Version |
Powered-By |
Product |
Server |
Servlet-Engine |
simplycom-server |
SPIisLatency |
SPRequestDuration |
SPRequestGuid |
swift-performance |
Via |
WPO-Cache-Status |
X-Accel-Buffering |
X-Accel-Redirect |
X-Accel-Charset |
X-Accel-Expires |
X-Accel-Limit-Rate |
X-AH-Environment |
X-Application-Context |
X-AspNet-Version |
X-AspNetMvc-Version |
X-Backend |
X-Backend-Server |
X-BEServer |
X-Cache-Handler |
X-Cache-Only-Varnish |
X-CF-Powered-By |
X-Cocoon-Version |
X-Compressed-By |
X-Content-Powered-By |
X-Debug-Token |
X-Debug-Token-Link |
X-DevSrv-CMS |
X-Drupal-Cache |
X-Drupal-Cache-Contexts |
X-Drupal-Cache-Tags |
X-Drupal-Dynamic-Cache |
X-FEServer |
X-FW-Server |
X-FW-Version |
X-Garden-Version |
X-Generator |
X-Litespeed-Cache |
X-Litespeed-Cache-Control |
X-Magento-Cache-Control |
X-Magento-Cache-Debug |
X-LiteSpeed-Purge |
X-LiteSpeed-Tag |
X-LiteSpeed-Vary |
X-Mod-Pagespeed |
X-MS-InvokeApp |
X-Nginx-Cache-Status |
X-Nginx-Upstream-Cache-Status |
X-Nitro-Cache |
X-Nitro-Cache-From |
X-Nitro-Rev |
X-ORACLE-DMS-ECID |
X-ORACLE-DMS-RID |
X-OWA-Version |
X-Page-Speed |
X-Powered-By |
X-Powered-By-Plesk |
X-Powered-CMS |
X-Provided-By |
X-Rack-Cache |
X-Redirect-By |
X-Redirect-Powered-By |
X-Server |
X-ServerName |
X-Server-Name |
X-Server-Powered-By |
X-ShardId |
X-SharePointHealthScore |
X-ShopId |
X-Shopify-Request-Trackable |
X-Shopify-Stage |
X-Sorting-Hat-PodId |
X-Sorting-Hat-ShopId |
X-Storefront-Renderer-Rendered |
X-Storefront-Renderer-Verified |
X-Spip-Cache |
X-TEC-API-ORIGIN |
X-TEC-API-ROOT |
X-TEC-API-VERSION |
X-Turbo-Charged-By |
X-Using-Nginx-Controller |
X-Varnish |
X-Varnish-Cache |
X-Varnish-CC |
X-Version |
X-Version-Id |
|
Show / Hide
Access-Control-Allow-Methods |
Access-Control-Allow-Origin |
Allow |
Cache-Control |
Content-Security-Policy |
Etag |
Feature-Policy |
HTTP instead HTTPS |
Permissions-Policy |
Public-Key-Pins |
Referrer-Policy |
Server-Timing |
Set-Cookie |
Strict-Transport-Security |
Timing-Allow-Origin |
X-Content-Type-Options |
X-DNS-Prefetch-Control |
X-Frame-Options |
X-Permitted-Cross-Domain-Policies |
X-Pingback |
X-Runtime |
X-XSS-Protection |
||
Any HTTP response header.
- Amazon AWS
- Apache HTTP Server
- Cloudflare
- MaxCDN
- Microsoft Internet Information Services
- Nginx
- Add more header/value checks (only security-oriented)
- Add analysis rating
- Show the application related to each fingerprint header
https://caniuse.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://github.com/search?q=http+headers+analyze
https://github.com/search?q=http+headers+secure
https://github.com/search?q=http+headers+security
https://owasp.org/www-project-secure-headers/
https://securityheaders.com/
https://scotthelme.co.uk/
https://webtechsurvey.com/common-response-headers
https://www.w3.org
- Report a Bug.
- Create a Feature request.
- Report a Security Vulnerability.
- Drop me an email (rafael.fcucalon@gmail.com).
Thanks for your time!! :).
MIT © 2020-2022 Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)
Original Creator - Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)