-
Notifications
You must be signed in to change notification settings - Fork 1
/
sec-gather-http-headers.1.md
78 lines (58 loc) · 3.37 KB
/
sec-gather-http-headers.1.md
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
% SEC-GATHER-HTTP-HEADERS(1)
% Ferry Boender
% July 2019
# NAME
sec-gather-http-headers – Output HTTP security headers for URLs
# SYNOPSIS
**sec-gather-http-headers** [**-h**] [**--version**] [**-d**] [**--annotate** *ANNOTATIONFILE*]
# DESCRIPTION
**sec-gather-http-headers** Gather http-headers firewall status
# OPTIONS
**-h**, **--help**
: Display this help message and exit
**--version**
: show program's version number and exit
**-d** / **--debug**
: Show debug info
# EXAMPLES
Executing:
$ sec-gather-http-headers https://github.com/ https://gitlab.com/
The default output looks like this:
{
"http_headers": {
"https://github.com/": {
"Expect-CT": "max-age=2592000, report-uri=\"https://api.github.com/_private/browser/errors\"",
"Feature-Policy": null,
"Access-Control-Allow-Origin": null,
"X-Frame-Options": "deny",
"Referrer-Policy": "origin-when-cross-origin, strict-origin-when-cross-origin",
"Access-Control-Allow-Headers": null,
"X-XSS-Protection": "1; mode=block",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains; preload",
"Public-key-pins": null,
"Content-Security-Policy": "default-src 'none'; base-uri 'self'; block-all-mixed-content; connect-src 'self' uploads.github.com www.githubstatus.com collector.githubapp.com api.github.com www.google-analytics.com github-cloud.s3.amazonaws.com github-production-repository-file-5c1aeb.s3.amazonaws.com github-production-upload-manifest-file-7fdce7.s3.amazonaws.com github-production-user-asset-6210df.s3.amazonaws.com wss://live.github.com; font-src github.githubassets.com; form-action 'self' github.com gist.github.com; frame-ancestors 'none'; frame-src render.githubusercontent.com; img-src 'self' data: github.githubassets.com identicons.github.com collector.githubapp.com github-cloud.s3.amazonaws.com *.githubusercontent.com customer-stories-feed.github.com; manifest-src 'self'; media-src 'none'; script-src github.githubassets.com; style-src 'unsafe-inline' github.githubassets.com",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Methods": null
},
"https://gitlab.com/": {
"Expect-CT": null,
"Feature-Policy": null,
"Access-Control-Allow-Origin": null,
"X-Frame-Options": null,
"Referrer-Policy": null,
"Access-Control-Allow-Headers": null,
"X-XSS-Protection": "1; mode=block",
"Strict-Transport-Security": "max-age=31536000; includeSubdomains",
"Public-key-pins": null,
"Content-Security-Policy": "frame-ancestors 'self' https://gitlab.lookbookhq.com https://learn.gitlab.com;",
"X-Content-Type-Options": "nosniff",
"Access-Control-Allow-Methods": null
}
}
}
You can use the `reports/sec-gather-http-headers.tpl` report to generate a
HTML matrix overview of URLs and their security headers:
$ sec-gather-http-headers https://github.com/ https://gitlab.com/ | sec-report reports/sec-gather-http-headers.tpl > header_matrix.html
# COPYRIGHT
Copyright 2017-2019, Ferry Boender.
Licensed under the MIT license. For more information, see the LICENSE file.