Skip to content
/ humble Public

A humble, and ๐—ณ๐—ฎ๐˜€๐˜, security-oriented HTTP headers analyzer.

License

Notifications You must be signed in to change notification settings

rfc-st/humble

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 
ย 

Repository files navigation

humble



A humble and fast HTTP Response Header Security Analyzer

A quick analysis with 'humble'!

"A journey of a thousand miles begins with a single step. - Lao Tzu"

"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"

Table of contents

Features
Screenshots
Installation & Update
Usage
Advanced Usage
Checks: Missing Headers
Checks: Fingerprint Headers
Checks: Deprecated Headers and Insecure Values
Checks: Empty Values
Guidelines included
To-Do
Further Reading
Contribute
Acknowledgements
License

Features

โœ”๏ธ 14 checks of missing HTTP response headers.
โœ”๏ธ 1131 checks of fingerprinting through HTTP response headers.
โœ”๏ธ 109 checks of deprecated HTTP response headers/protocols or with insecure/wrong values.
โœ”๏ธ SSL/TLS checks (requires the amazing https://testssl.sh/).
โœ”๏ธ Browser support references for enabled HTTP security headers.
โœ”๏ธ Two types of analysis: brief and detailed, along with HTTP response headers.
โœ”๏ธ Can exclude specific HTTP response headers from the analysis.
โœ”๏ธ Can export each analysis to CSV, HTML5, JSON, PDF 1.4 and TXT (and in the PATH of your choice).
โœ”๏ธ Each detailed analysis may include up to dozens of official links, references and technical articles.
โœ”๏ธ l10n: can display each analysis, the messages and almost all errors in English or Spanish.
โœ”๏ธ Saves each analysis, showing at the end the improvements or deficiencies in relation to the last one.
โœ”๏ธ Can display analysis statistics: either against a specific URL or all of them.
โœ”๏ธ Can display fingerprint statistics: either against a specific term or the Top 20.
โœ”๏ธ Code reviewed via Bandit, Flake8, pyinstrument, SonarLint, Sourcery and vermin.
โœ”๏ธ Tested (one by one) on thousands of URLs.
โœ”๏ธ Tested on Kali Linux 2021.1, macOS 14.2.1 and Windows 10 20H2.
โœ”๏ธ Almost all the code under one of the most permissive licenses: MIT.
โœ”๏ธ Regularly updated.
โœ”๏ธ Minimal dependencies required.
โœ”๏ธ Featured on OWASP, Kali Linux, Artemis, DefectDojo and HackTricks.
โœ”๏ธ Developed entirely in my spare time, no strings attached: feel free to try it out and integrate it into your projects!.
โœ”๏ธ And with the approval of several AI ๐Ÿ˜„!.

Screenshots

.: (Windows) - Brief analysis.

(Windows) - Brief analysis


.: (Linux) - Brief analysis along with HTTP response headers.

(Linux) - Brief analysis along with HTTP response headers


.: (Linux) - Detailed analysis, in Spanish.

(Linux) - Detailed analysis in Spanish


.: (Linux) - SSL/TLS checks.

Options used: -f -g -p -U -s --hints

(Linux) - SSL/TLS checks (requires https://testssl.sh/ and Linux/Unix client)


.: (Linux) - List of HTTP fingerprint headers based on a specific term.

(Linux) - List of HTTP fingerprint headers based on a specific term


.: (Linux) - Brief analysis saved as CSV. Example.

(Linux) - Brief analysis saved as CSV


.: (Windows) - Detailed analysis saved as PDF. Example.

(Windows) - Detailed analysis saved as PDF


.: (Linux) - Detailed analysis saved as HTML. Example.

(Linux) - Detailed analysis saved as HTML


.: (Linux) - Brief analysis saved as JSON. Example.

(Linux) - Brief analysis saved as JSON


.: (Linux) - Analysis history file: Date, URL, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals).

(Linux) - Analysis history file: Date, URL, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals)


.: (Linux) - Statistics of the analysis performed against a specific URL.

(Linux) - Statistics of the analysis performed against a specific URL


.: (Linux) - Statistics of the analysis performed against all URLs, in Spanish.

(Linux) - Statistics of the analysis performed against all URLs in Spanish


Installation & Update

Note

Python 3.9 or higher is required.

# Install python3 and python3-pip if not exist
(Windows) https://www.python.org/downloads/windows/
(Linux) if not installed by default, install them via, e.g. Synaptic, apt, dnf, yum ...
(macOS) https://www.python.org/downloads/macos/

# Install Git
(Windows) https://git-scm.com/download/win
(Linux) https://git-scm.com/download/linux
(macOS) https://git-scm.com/download/mac

# Clone this Git Repository
$ git clone https://github.com/rfc-st/humble.git

# Change the working directory to 'humble'
$ cd humble

# Install the required dependencies
$ pip3 install -r requirements.txt

# (Recommended) Check for updates weekly, inside 'humble' directory
$ git pull

# Or download the latest release, every four to five weeks
https://github.com/rfc-st/humble/releases

Usage

(Windows) $ py humble.py
(Linux)   $ python3 humble.py
(macOS)   $ python3 humble.py

usage: humble.py [-h] [-a] [-b] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-l {es}] [-o {csv,html,json,pdf,txt}] [-op OUTPUT_PATH] [-r]
                 [-s [SKIPPED_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]

'humble' (HTTP Headers Analyzer) | https://github.com/rfc-st/humble | v.2024-07-13

options:
  -h, --help                  show this help message and exit
  -a                          Shows statistics of the performed analysis; will be global if the '-u' parameter is omitted
  -b                          Shows overall findings; if this parameter is omitted detailed ones will be shown
  -df                         Do not follow redirects; if this parameter is omitted the last redirection will be the one analyzed
  -e [TESTSSL_PATH]           Shows TLS/SSL checks; requires https://testssl.sh/
  -f [FINGERPRINT_TERM]       Shows fingerprint statistics; will be the Top 20 if 'FINGERPRINT_TERM', e.g. 'Google', is omitted
  -g                          Shows guidelines for enabling security HTTP response headers on popular servers/services
  -l {es}                     The language for displaying analysis, errors and messages; will be in English if this parameter is omitted
  -o {csv,html,json,pdf,txt}  Exports analysis to 'scheme_host_port_yyyymmdd.ext' file; csv/json files will contain a brief analysis
  -op OUTPUT_PATH             Exports analysis to 'OUTPUT_PATH'; if this parameter is omitted the PATH of 'humble.py' will be used
  -r                          Shows HTTP response headers and a detailed analysis; '-b' parameter will take priority
  -s [SKIPPED_HEADERS ...]    Skip analysis of HTTP response headers specified in 'SKIPPED_HEADERS' (separated by spaces)
  -u URL                      Scheme, host and port to analyze. E.g. https://google.com
  -ua USER_AGENT              User-Agent ID from 'additional/user_agents.txt' to use. '0' will show all and '1' is the default
  -v, --version               Checks for updates at https://github.com/rfc-st/humble

examples:
  -a -l es                    Shows statistics (in Spanish) of the analysis performed against all URLs
  -f Google                   Shows HTTP fingerprint headers related to the term 'Google'
  -u URL -a                   Shows statistics of the analysis performed against the URL
  -u URL -b                   Analyzes the URL and reports overall findings
  -u URL -b -o csv            Analyzes the URL and exports overall findings to CSV
  -u URL -l es                Analyzes the URL and reports (in Spanish) detailed findings
  -u URL -o pdf               Analyzes the URL and exports detailed findings to PDF
  -u URL -r                   Analyzes the URL and reports detailed findings along with HTTP response headers
  -u URL -s ETag NEL          Analyzes the URL and skips checks associated with 'ETag' and 'NEL' HTTP response headers
  -u URL -ua 4                Analyzes the URL using the fourth User-Agent of 'additional/user_agents.txt'

Advanced Usage

.: (Linux) - Show only the analysis summary.

$ python3 humble.py -u https://www.spacex.com | grep -A 8 "\!." | sed $'1i \n'

Show only the analysis summary (Linux)

.: (Windows) - Show only the analysis summary, in Spanish. PowerShell >= 7 required.

$ py humble.py -u https://www.spacex.com -l es | Select-String -Pattern '!.' -Context 1,8 -NoEmphasis

Show only the analysis summary (Windows, in Spanish. PowerShell >= 7 required)

.: (Linux) - Show only the URL, date and analysis summary.

$ python3 humble.py -u https://www.spacex.com | grep -A7 -E "0. Info|\!." | grep -v "^\[1\." | sed 's/[--]//g' | sed -e '/./b' -e :n -e 'N;s/\n$//;tn' | sed $'1i \n'

Show URL, date and the analysis summary (Linux)

.: (Linux) - Show only the deprecated headers/protocols and insecure values.

$ python3 humble.py -u https://www.spacex.com | sed -n '/\[3/,/^\[4/ { /^\[4/!p }' | sed '$d' | sed $'1i \n'

Show only the deprecated headers/protocols and insecure values (Linux)

.: (Linux) - Check for HTTP client errors (4XX).

$ python3 humble.py -u https://my.prelude.software/demo/index.pl | grep -A1 -B5 'Note : \|Nota : ' --color=never

Check for HTTP client errors (4XX) (Linux)

.: (Linux) - Analyze multiple URLs and save the results as PDFs.

$ datasets=('https://facebook.com' 'https://github.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done

Analyze multiple URLs and save the results as PDFs

Checks: Missing Headers


Show / Hide
Cache-Control Clear-Site-Data Content-Type
Content-Security-Policy Cross-Origin-Embedder-Policy Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy NEL Permissions-Policy
Referrer-Policy Strict-Transport-Security X-Content-Type-Options
X-Frame-Options X-Permitted-Cross-Domain-Policies

Checks: Fingerprint headers

Check this file.

Checks: Deprecated headers/protocols and insecure values

Check this file.

Note

humble tries to be strict: both in checking HTTP response headers and their values; some of these headers may be experimental and you may not agree with all the results after analysis.

And that's OK! ๐Ÿ˜ƒ; you should never blindly trust the results of security tools: there should be further work to decide whether the risk is non-existent, potential or real depending on the analyzed URL (its exposure, environment, etc).

Checks: Empty values

Any HTTP response header.

Guidelines included to enable security HTTP headers

  • Amazon Web Services
  • Apache HTTP Server
  • Cloudflare
  • LiteSpeed Web Server
  • Microsoft Internet Information Services
  • Nginx
  • Node.js
  • WordPress

To-Do

  • Add more Header/Value checks (only security-oriented)
  • A new detailed analysis of all CSP directives/values (W3C Level 2 & 3)
  • Google Style Python Docstrings and documentation via Sphinx

Further reading

https://caniuse.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://github.com/search?q=http+headers+analyze
https://github.com/search?q=http+headers+secure
https://github.com/search?q=http+headers+security
https://owasp.org/www-project-secure-headers/
https://securityheaders.com/
https://scotthelme.co.uk/
https://webtechsurvey.com/common-response-headers
https://www.w3.org

Contribute

Thanks for downloading 'humble', for trying it and for your time!.

Acknowledgements

License

MIT ยฉ 2020-2024 Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)
Original Creator - Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)