Context
Modern HTTP servers should advertise a known-good set of security headers.
Each header has its own pass/fail and threshold semantic (e.g.
Strict-Transport-Security: present, max-age >= N, includeSubDomains,
preload). Bundling these into the availability check would conflict with
CONTRIBUTING's "one tool, one task" rule and with the per-header threshold
model. This plugin is the natural sibling of http.
The output model follows public security-headers grading services
(securityheaders.com / Snyk, Mozilla Observatory): an overall grade A+ to F
based on header presence and quality.
Scope
Plugin security-headers. Issues an HTTP GET (or HEAD, configurable)
and inspects the response headers.
Headers covered (alphabetical):
Content-Security-Policy (presence; flag unsafe-inline, unsafe-eval,
wildcards in default-src/script-src/style-src)Cross-Origin-Embedder-PolicyCross-Origin-Opener-PolicyCross-Origin-Resource-PolicyPermissions-Policy (presence)Referrer-Policy (presence; recommended values)Strict-Transport-Security (presence; max-age threshold;
includeSubDomains; preload)X-Content-Type-Options: nosniffX-Frame-Options or frame-ancestors directive in CSP
Information-leakage flags (warn if present):
Server, X-Powered-By, X-AspNet-Version, X-AspNetMvc-Version.
Parameters:
--always-ok, --insecure, --no-proxy, --timeout--url, --method GET|HEAD (default GET), --header (append),
--user-agent, --http-version--hsts-warn-max-age, --hsts-crit-max-age: Nagios ranges over HSTS
max-age in seconds. Values accept compound human-duration syntax (e.g.
180d:), parsed via lib.human.humanrange2seconds.--require (CSV; headers that, if missing, raise CRIT)--ignore (CSV regex; headers to skip; case-insensitive)--lengthy, --brief--warning, --critical: Nagios ranges over the numeric grade.
Output:
- Default: overall grade (A+, A, B, C, D, E, F) plus a one-line summary per
failing header.
--lengthy: table with Header, Status, Value, Issue.
State mapping: WARN if grade < B, CRIT if grade < D, configurable via
--warning and --critical on the numeric grade.
Perfdata: numeric grade (A+=12, A=11, ..., F=0) for trending, plus one
boolean per header (hsts_present, csp_present, ...).
Dependencies
Linuxfabrik/lib#137 only if HTTP/2 or HTTP/3 endpoints are required.
Reference
- securityheaders.com (Snyk) and Mozilla Observatory for the grading model.
example plugin for structure.
Classification
New plugin. Enhancement.
Context
Modern HTTP servers should advertise a known-good set of security headers.
Each header has its own pass/fail and threshold semantic (e.g.
Strict-Transport-Security: present,max-age>= N,includeSubDomains,preload). Bundling these into the availability check would conflict withCONTRIBUTING's "one tool, one task" rule and with the per-header threshold
model. This plugin is the natural sibling of
http.The output model follows public security-headers grading services
(securityheaders.com / Snyk, Mozilla Observatory): an overall grade A+ to F
based on header presence and quality.
Scope
Plugin
security-headers. Issues an HTTPGET(orHEAD, configurable)and inspects the response headers.
Headers covered (alphabetical):
Content-Security-Policy(presence; flagunsafe-inline,unsafe-eval,wildcards in
default-src/script-src/style-src)Cross-Origin-Embedder-PolicyCross-Origin-Opener-PolicyCross-Origin-Resource-PolicyPermissions-Policy(presence)Referrer-Policy(presence; recommended values)Strict-Transport-Security(presence;max-agethreshold;includeSubDomains;preload)X-Content-Type-Options: nosniffX-Frame-Optionsorframe-ancestorsdirective in CSPInformation-leakage flags (warn if present):
Server,X-Powered-By,X-AspNet-Version,X-AspNetMvc-Version.Parameters:
--always-ok,--insecure,--no-proxy,--timeout--url,--method GET|HEAD(defaultGET),--header(append),--user-agent,--http-version--hsts-warn-max-age,--hsts-crit-max-age: Nagios ranges over HSTSmax-agein seconds. Values accept compound human-duration syntax (e.g.180d:), parsed vialib.human.humanrange2seconds.--require(CSV; headers that, if missing, raise CRIT)--ignore(CSV regex; headers to skip; case-insensitive)--lengthy,--brief--warning,--critical: Nagios ranges over the numeric grade.Output:
failing header.
--lengthy: table withHeader,Status,Value,Issue.State mapping: WARN if grade < B, CRIT if grade < D, configurable via
--warningand--criticalon the numeric grade.Perfdata: numeric
grade(A+=12, A=11, ..., F=0) for trending, plus oneboolean per header (
hsts_present,csp_present, ...).Dependencies
Linuxfabrik/lib#137only if HTTP/2 or HTTP/3 endpoints are required.Reference
exampleplugin for structure.Classification
New plugin. Enhancement.