I did this tool to help me to check which security headers are enabled on certain websites.
The tool is very simple and it's the result of few minutes of coding.
It just check headers and print a report about which are enabled and which not
I think there is a lot to improve, and I will be grateful if somebody wants to help
- Check common HTTP security headers
- Identify missing or misconfigured headers
- JSON output support
- Custom headers, cookies, and proxy support
- NEW: Cookie security analysis (flags like
Secure,HttpOnly,SameSite)
pip3 install shcheck
shcheck.py https://insecurity.blogFirst build your docker container using something like this:
docker build -t shcheck .
Then simply run your docker container using something like this where you specify which website you want to check headers on:
docker run -it --rm shcheck https://insecurity.blog
git clone https://github.com/santoru/shcheck && cd shcheck
./shcheck.py https://insecurity.blogIf you want to run shcheck as a standalone script, just grab the shcheck.py script from the shcheck module/folder and copy it around.
Usage: ./shcheck.py [options] <target>
options:
-h, --help show this help message and exit
-p, --port PORT Set a custom port to connect to
-c, --cookie COOKIE_STRING
Set cookies for the request
-a, --add-header HEADER_STRING
Add headers for the request e.g. 'Header: value'
-d, --disable-ssl-check
Disable SSL/TLS certificate validation
-g, --use-get-method Use GET method instead HEAD method
-m, --use-method {HEAD,GET,POST,PUT,DELETE,TRACE}
Use a specified method
-j, --json-output Print the output in JSON format
-i, --information Display information headers
-x, --caching Display caching headers
-k, --deprecated Display deprecated headers
--proxy PROXY_URL Set a proxy (Ex: http://127.0.0.1:8080)
--hfile PATH_TO_FILE Load a list of hosts from a flat file
--colours, --colors COLOURS
Set up a colour profile [dark/light/none]
--no-follow Do not follow HTTP redirects (return 3xx response)
-C, --check-cookies Check cookie security attributes