Skip to content

Instantly share code, notes, and snippets.

@actuallyjamez

actuallyjamez/readme.md

Last active November 7, 2019 09:02
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save actuallyjamez/96ce17aeec55d500809bcc4f39f8ad49 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save actuallyjamez/96ce17aeec55d500809bcc4f39f8ad49 to your computer and use it in GitHub Desktop.
Download ZIP
drheader readme
Raw
readme.md

drHEADer

drHEADer license

Short description about drHEADer.

Table of Contents

Background

There are a number of HTTP headers which enhance the security of a website when used. Often ignored, or unknown, these HTTP security headers help prevent common web application vulnerabilities when used.

DrHEADer helps with the audit of security headers received in response to a single request or a list of requests.

When combined with the OWASP Application Security Verification Standard (ASVS) 4.0, it is a useful tool to include as part of an automated CI/CD pipeline which checks for missing HTTP headers.

Install

⚠️This project was developed for Python 3.7+: Whilst it currently works with Python 2.x, it's End of Life (EOL) is only a couple of months away, so if possible, use 3.x.

The easiest way to install drHEADer is to clone this repository and install from source:

$ git clone https://github.com/Santandersecurityresearch/DrHeader
$ cd drheader
$ python3 setup.py install --user

Usage

There are two ways you could use drHEADer, depending on what you want to achieve.

Library

It is possible to integrate drHEADer into your own projects. See the following example or check out the API for more details.

from drheader import Drheader

# create drheader instance
drheader_instance = Drheader(headers={'X-XSS-Protection': '1; mode=block'}, status_code=200)

report = drheader_instance.analyze()
print(report)

CLI

drHEADEer comes packaged with a command line interface for ease of use.

To get started, try scanning a single endpoint against our predefined ruleset or learn more about creating own rulesets.

$ drheader scan single https://santander.co.uk

singlescan

Multiple Endpoints

To scan multiple sites, you'll need the targets in a JSON format, or a txt file, like so:

          [
            {
              "url": "https://example.com",
              "params": {
                  "example_parameter_key": "example_parameter_value"
              }
            },
            ...
          ]

You can also use txt files containing one url per line:

⚠️Request verbs and parameters are not support with TXT input.

$ drheader scan bulk -ff targets.txt

Options

There are a number of parameters you can specify during bulk scans, these are:

  -p, --post                     Use a post request to obtain headers
  --json                         Output report as json
  --debug                        Show error messages
  --rules FILENAME               Use custom rule set
  --help                         Show this message and exit.

To save scan results, you can use the --json parameter and pipe it to jq, which is a lightweight and flexible command-line JSON processor,like so:

$ drheader scan single https://santander.co.uk --json | jq '.'

![singlescan](C:/Users/James Morris/PycharmProjects/DrHeaderGit/assets/img/drheaderscansinglejson.png)

API

More optional sections

Contributing

See the contributing file!

PRs accepted.

Small note: If editing the Readme, please conform to the standard-readme specification.

Any optional sections

License

MIT © Santander UK Technology.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment