Thanks to visit codestin.com
Credit goes to github.com

Skip to content
/ http-header-analyzer Public

A Python-based HTTP security header analyzer that identifies weak or missing policies (CSP, HSTS, XFO, etc.) and generates OWASP-aligned remediation reports.

License

MIT license
7 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

vigneshoffsec/http-header-analyzer

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

12 Commits
assets
assets
Β 
Β 
reports
reports
Β 
Β 
src
src
Β 
Β 
wordlists
wordlists
Β 
Β 
.gitignore
.gitignore
Β 
Β 
LICENSE
LICENSE
Β 
Β 
README.md
README.md
Β 
Β 

Repository files navigation

πŸ›‘οΈ HTTP Header Analyzer (Advanced AppSec Tool)

A Python-based HTTP security header auditing tool that identifies weak or missing security headers across one or more web applications. It generates OWASP-aligned remediation guidance, severity ratings, and exports JSON + HTML reports suitable for AppSec teams, vulnerability assessments, and developer handoff.

This tool automates the security header review process and accelerates security assessments.


πŸ“‚ Project Structure

http-header-analyzer/
│── src/
β”‚   └── header_analyzer.py
│── reports/
β”‚   └── .gitkeep
│── wordlists/
β”‚   └── .gitkeep
│── README.md
│── LICENSE

πŸš€ Features

βœ” Full Security Header Evaluation

Checks for the industry-standard security headers:

  • Content-Security-Policy (CSP)
  • Strict-Transport-Security (HSTS)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy

βœ” OWASP-Aligned Remediation

Each missing header includes:

  • Severity (HIGH / MEDIUM / LOW)
  • Description
  • Recommended fix aligned with OWASP best practices

βœ” Multi-Target Scanning

Scan:

  • A single URL
  • Multiple URLs
  • A .txt file containing URLs

βœ” JSON + HTML Reporting

Automatically generates:

  • JSON report (header-report-*.json)
  • HTML report (header-report-*.html)

Ideal for client deliverables.

βœ” Colorized CLI Output

Clear and readable terminal output with severity-based highlighting.

βœ” Domain Normalization

URLs automatically corrected to https:// when needed.

πŸ§ͺ Usage

Scan a Single Target

python3 src/header_analyzer.py https://example.com

Scan Multiple Targets

python3 src/header_analyzer.py https://site1.com https://site2.org https://site3.net

Scan from URL List File

targets.txt:

https://example.com
https://app.test.com
https://login.internal

Run:

python3 src/header_analyzer.py targets.txt

πŸ“€ Example Console Output

=== https://example.com ===
Status: 200

[+] Content-Security-Policy (OK)
[-] Strict-Transport-Security MISSING | Severity: HIGH
[-] X-Frame-Options MISSING | Severity: MEDIUM

🧾 Example Report Files

Inside /reports/:

header-report-20251114-153210.json
header-report-20251114-153210.html

πŸ›  How It Works (Internals)

1. Normalize URL

Ensures http:// or https:// prefix is applied automatically.

2. Fetch HTTP Response

Uses a modern User-Agent and timeout protection.

3. Header Evaluation

For each of the 6 key security headers:

  • Check presence
  • Identify severity
  • Provide OWASP remediation text

4. Structured Results

Stores:

  • Present headers
  • Missing headers
  • Raw header dump
  • Status code

5. Report Generation

Creates:

  • JSON structured report
  • HTML formatted table with severity coloring

πŸ“ˆ Severity Ratings

Severity Meaning
HIGH Critical header missing; high exploitability (CSP, HSTS)
MEDIUM Important but not critical (XFO, X-Content-Type-Options)
LOW Best-practice hardening (Referrer-Policy, Permissions-Policy)

🧩 OWASP Remediation Mapping

The tool follows OWASP best practices for headers:

  • CSP: Prevents XSS & injection
  • HSTS: Prevents downgrade attacks
  • XFO: Stops clickjacking
  • XCTO: Prevents MIME sniffing
  • Referrer-Policy: Reduces data leakage
  • Permissions-Policy: Restricts browser features

πŸ“Œ Example HTML Report Preview

(Automatically generated)

+--------------------------------------------------------------+
|               HTTP Security Header Report                    |
+--------------------------------------------------------------+
| URL: https://example.com                                     |
| Status: 200                                                  |
|--------------------------------------------------------------|
| Missing Headers:                                             |
|    HSTS – HIGH severity – remediation text...                |
|    X-Frame-Options – MEDIUM severity – remediation text...   |
| Present Headers:                                             |
|    Content-Security-Policy – HIGH severity (OK)             |
+--------------------------------------------------------------+

πŸ“Œ Roadmap / Future Enhancements

  • Scan recursion for pages discovered via sitemap
  • CSP quality scoring
  • Response header entropy checks
  • Policy misconfiguration detection
  • Passive fingerprinting detection

πŸ§‘β€βš–οΈ Ethical Disclaimer

This tool is intended for authorized security testing and educational use only. Analyzing systems without permission is illegal and unethical.

πŸ‘¨β€πŸ’» Author

Vignesh Mani Offensive Security Researcher GitHub: https://github.com/vigneshoffsec LinkedIn: https://linkedin.com/in/vignesh-m17

About

A Python-based HTTP security header analyzer that identifies weak or missing policies (CSP, HSTS, XFO, etc.) and generates OWASP-aligned remediation reports.

Topics

python owasp web-security pentesting appsec security-automation http-security blue-team security-headers secure-configuration

Resources

Readme

License

MIT license
Activity

Stars

7 stars

Watchers

0 watching

Forks

1 fork
Report repository

Releases 1

Initial Release - HTTP Header Analyzer Latest
Nov 14, 2025

Packages

No packages published

Languages