Python script to check HTTP security headers
Same functionality as securityheaders.io but as Python script. Also checks some server/version headers. Written and tested using Python 3.8.
With minor modifications could be used as a library for other projects.
NOTE: The project renamed (2024-10-19) from securityheaders to secheaders to avoid confusion with PyPI package with similar name.
The following assumes you have Python installed and command python refers to python version >= 3.8.
$ pip install secheaders
python -m buildpip install dist/secheaders-0.2.0-py3-none-any.whlsecheaders --helppython -m secheadersusage: secheaders [-h] [--target-list FILE] [--max-redirects N] [--insecure] [--file FILE] [--json] [--no-color] [--verbose] [URL]
Scan HTTP security headers
positional arguments:
URL Target URL (default: None)
options:
-h, --help show this help message and exit
--target-list FILE Read multiple target URLs from a file and scan them all (default: None)
--max-redirects N Max redirects, set 0 to disable (default: 2)
--insecure Do not verify TLS certificate chain (default: False)
--file FILE, -f FILE Read the headers from file or stdin rather than fetching from URL (default: None)
--json JSON output instead of text (default: False)
--no-color Do not output colors in terminal (default: False)
--verbose, -v Verbose output (default: False)
$ secheaders example.com
Scanning target https://example.com ...
Header 'x-frame-options' is missing [ WARN ]
Header 'strict-transport-security' is missing [ WARN ]
Header 'content-security-policy' is missing [ WARN ]
Header 'x-content-type-options' is missing [ WARN ]
Header 'x-xss-protection' is missing [ OK ]
Header 'referrer-policy' is missing [ WARN ]
Header 'permissions-policy' is missing [ WARN ]
server: ECAcc (nyd/D191) [ WARN ]
HTTPS supported [ OK ]
HTTPS valid certificate [ OK ]
HTTP -> HTTPS automatic redirect [ WARN ]
The following design principles have been considered:
These are not rules set in stone, but should be revisited when doing big design choices.
FAQs
Scan HTTP security headers
We found that secheaders demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
npm now supports Trusted Publishing with OIDC, enabling secure package publishing directly from CI/CD workflows without relying on long-lived tokens.
Research
/Security News
A RubyGems malware campaign used 60 malicious packages posing as automation tools to steal credentials from social media and marketing tool users.
Security News
The CNA Scorecard ranks CVE issuers by data completeness, revealing major gaps in patch info and software identifiers across thousands of vulnerabilities.