Skip to content
Obtain information about what your server sends out into the web.
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
img
reqhead-2.0.0/debian
LICENSE
README.md
install-instructions.md
reqhead
requirements.txt

README.md

Request Headers Checker

Useful to see what your site may reveal about your security (or lack thereof).

With this ultra light script (4.6 kb!), you'll see:

  • Server response headers (200 / 403 / 301, etc)
  • SSL registrant information & legitimacy dates

Screencap of reqhead running via command-line: request headers

SSL Information:

ssl headers

Hackers often use scrapers to prowl the web, looking for outdated versions of server applications; what your server returns in headers may give them clues on how to enter your organization without permission. Use this tool to see what they see, so you know what's giving out too much information & subsequently disable it.

Things that attract the bad guys:

  • Outdated versions of Apache, PHP, etc

Ideally, disable the PHP header completely and limit what Apache returns (version numbers are a huge no-no).

If you use something like mod_security, you can even completely change the ServerSignature to something completely unrelated, like CustomBuild

  • Lack of content security policy

While not inherently insecure, lack of CSP headers leave you vulnerable to XSS, which is a common problem in WordPress sites with hacked extensions.

Your visitors may also have existing exploits on their PC, some malware will rewrite portions of the sites a user visits and inject ads and even more malware; utilizing CSP will prevent them from changing what the user sees while on your site.

  • References to WordPress

If you run Wordpress, security by obscurity won't protect you on its own, but it will definitely help make them have to do a bit of extra work to figure out what you're running. They want easy, quick returns. Unless you're specifically being targeted, every little bit helps! Remove all Wordpress headers!! If you do not use xmlrpc, disable and/or delete it! There are plenty of security related extensions, use them.

Simply disabling headers that give clues into poor security practices won't protect you, but if your organization has a lot of red tape you have to go through for OS patches and updates, obfuscating much sought after information can buy you a little time.

🔗 Install Instructions

You can’t perform that action at this time.