Electricmonk

Ferry Boender

Programmer, DevOpper, Open Source enthusiast.

Blog

Sec-tools v0.3: HTTP Security Headers

Wednesday, July 24th, 2019

The latest version of my sec-tools project includes a new tool “sec-gather-http-headers“. It scans one of more URLs for security HTTP headers. As usual, you can use sec-diff to generate alerts about changes in the output and sec-report to generate a matrix overview of the headers for each URL.

The JSON output looks like this:

$ sec-gather-http-headers https://github.com/ https://gitlab.com/
{
    "http_headers": {
        "https://github.com/": {
            "Expect-CT": "max-age=2592000, report-uri=\"https://api.github.com/_private/browser/errors\"",
            "Feature-Policy": null,
            "Access-Control-Allow-Origin": null,
            "X-Frame-Options": "deny",
            "Referrer-Policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
            "Access-Control-Allow-Headers": null,
            "X-XSS-Protection": "1; mode=block",
            "Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
            "Public-key-pins": null,
            "Content-Security-Policy": "default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com",
            "X-Content-Type-Options": "nosniff",
            "Access-Control-Allow-Methods": null
        },
        "https://gitlab.com/": {
            "Expect-CT": null,
            "Feature-Policy": null,
            "Access-Control-Allow-Origin": null,
            "X-Frame-Options": null,
            "Referrer-Policy": null,
            "Access-Control-Allow-Headers": null,
            "X-XSS-Protection": "1; mode=block",
            "Strict-Transport-Security": "max-age=31536000; includeSubdomains",
            "Public-key-pins": null,
            "Content-Security-Policy": "frame-ancestors 'self' https://gitlab.lookbookhq.com https://learn.gitlab.com;",
            "X-Content-Type-Options": "nosniff",
            "Access-Control-Allow-Methods": null
        }
    }
}

An example PDF output with a matrix overview:

http_headers

The text of all posts on this blog, unless specificly mentioned otherwise, are licensed under this license.