The command line tool for the HTTP Observatory
Python
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Failed to load latest commit information.
httpobscli
.flake8
.gitignore
Dockerfile
LICENSE
MANIFEST.in
README.rst
requirements.txt
setup.cfg
setup.py

README.rst

Mozilla HTTP Observatory :: Command Line Utility

Please note that this version of the Observatory CLI has been deprecated, and replaced with a considerably more powerful version.

Getting started with the HTTP Observatory (docker)

$ docker run --rm fgribreau/httpobs-cli www.mozilla.org
Score: 30 [E]
Modifiers:
    [  -5] Initial redirection from http to https is to a different host, preventing HSTS
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

Getting started with the HTTP Observatory (python)

First install the client:

pip install httpobs-cli

$ pip install httpobs-cli

And then scan websites to your heart's content, using our hosted service:

$ httpobs www.mozilla.org
Score: 30 [E]
Modifiers:
    [  -5] Initial redirection from http to https is to a different host, preventing HSTS
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

$ httpobs www.google.com
Score: 35 [D-]
Modifiers:
    [  +5] Preloaded via the HTTP Public Key Pinning (HPKP) preloading process
    [  -5] X-Content-Type-Options header not implemented
    [ -20] Cookies set without using the Secure flag or set over http
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

$ httpobs --zero github.com
Score: 120 [A+]
Modifiers:
    [  +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000)
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
    [  +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin
    [  +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive
    [   0] All cookies use the Secure flag and all session cookies use the HttpOnly flag
    [   0] Content Security Policy (CSP) implemented with 'unsafe-inline' inside style-src
    [   0] Content is not visible via cross-origin resource sharing (CORS) files or headers
    [   0] Contribute.json isn't required on websites that don't belong to Mozilla
    [   0] Initial redirection is to https on same host, final destination is https
    [   0] X-Content-Type-Options header set to "nosniff"
    [   0] X-XSS-Protection header set to "1; mode=block"

If you want additional options, such as to see the raw scan output, use httpobs --help:

$ httpobs --help
usage: httpobs [options] host

positional arguments:
  host           hostname of the website to scan

optional arguments:
  -h, --help     show this help message and exit
  -d, --debug    output only raw JSON from scan and tests
  -r, --rescan   initiate a rescan instead of showing recent scan results
  -v, --verbose  display progress indicator
  -x, --hidden   don't list scan in the recent scan results
  -z, --zero     show test results that don't affect the final score

Authors

  • April King

License

  • Mozilla Public License Version 2.0