Tinfoil is a command-line utility that scans a Web server externally to listen for its usage of HTTP secure headers. This utility will scan for the following secure headers:
Not all of these headers are required at all times, so you should use your best judgement when you see something is missing on your Web server. Best of all, you can selectively ignore the headers that you do not yet support.
Install it through RubyGems:
$ gem install tinfoil
Scan a single server
$ tinfoil www.example.com
Specifying the protocol, http:// or https://, is not required.
You can selectively ignore the secure headers or protocols that you do not want. For example, to ignore anything related to SSL or the Content-Security-Policy header:
$ tinfoil --ignore-https --ignore-csp --ignore-sts www.example.com
To view the other options available, you can use the --help argument.
The following examples test the secure header support for the main Github.com website.
This checks both SSL and non-SSL versions of github.com. The tool shows that nothing is present on the non-SSL version (because it redirects) and then shows which headers are present on the SSL version.
greenhole:tinfoil scott$ bin/tinfoil github.com
protocol: http
protocol: https
headers:
Strict-Transport-Security: exists
X-XSS-Protection: exists
X-Content-Type-Options: exists
X-Frame-Options: exists
Content-Security-Policy: exists
Since we only care about the SSL version of github.com, we tell tinfoil to ignore the non-SSL version.
greenhole:tinfoil scott$ bin/tinfoil --ignore-http github.com
protocol: https
headers:
Strict-Transport-Security: exists
X-XSS-Protection: exists
X-Content-Type-Options: exists
X-Frame-Options: exists
Content-Security-Policy: exists
And, for kicks, we now tell tinfoil to ignore the Content-Security-Policy header for no good reason.
greenhole:tinfoil scott$ bin/tinfoil --ignore-http --ignore-csp github.com
protocol: https
headers:
Strict-Transport-Security: exists
X-XSS-Protection: exists
X-Content-Type-Options: exists
X-Frame-Options: exists
Content-Security-Policy: ignored
git checkout -b my-new-feature)git commit -am 'Add some feature')git push origin my-new-feature)See LICENSE.txt for more information.
FAQs
Unknown package
We found that tinfoil demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 1 open source maintainer collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
CISA’s 2025 draft SBOM guidance adds new fields like hashes, licenses, and tool metadata to make software inventories more actionable.
Security News
A clarification on our recent research investigating 60 malicious Ruby gems.
Security News
ESLint now supports parallel linting with a new --concurrency flag, delivering major speed gains and closing a 10-year-old feature request.