Metadata-Version: 2.3
Name: secheaders
Version: 0.1.1
Summary: Scan HTTP security headers
Project-URL: Homepage, https://github.com/juerkkil/secheaders
Project-URL: Issues, https://github.com/juerkkil/secheaders/issues
Project-URL: Repository, https://github.com/juerkkil/secheaders
Author-email: Jussi-Pekka Erkkilä <jp.erkkila@gmail.com>
Maintainer-email: Jussi-Pekka Erkkilä <jp.erkkila@gmail.com>
License-File: LICENSE
Keywords: security,web
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python
Classifier: Topic :: Internet :: WWW/HTTP
Classifier: Topic :: Security
Requires-Python: >=3.8
Description-Content-Type: text/markdown

# secheaders
Python script to check HTTP security headers


Same functionality as securityheaders.io but as Python script. Also checks some server/version headers. Written and tested using Python 3.8.

With minor modifications could be used as a library for other projects.

**NOTE**: The project renamed (2024-10-19) from **securityheaders** to **secheaders** to avoid confusion with PyPI package with similar name.

## Installation

The following assumes you have Python  installed and command `python` refers to python version >= 3.8.

### Install

```
$ pip install secheaders
```

### Building and running locally

1. Clone into repository
2. `python -m build`
3. `pip install dist/secheaders-0.1.1-py3-none-any.whl`
4. Run `secheaders --help`


### Running from source without installation

1. Clone into repository
2. Run `python -m secheaders`


## Usage
```
$ secheaders --help
usage: secheaders [-h] [--max-redirects N] [--insecure] [--json] [--no-color]
                  [--verbose]
                  URL

Scan HTTP security headers

positional arguments:
  URL                Target URL

options:
  -h, --help         show this help message and exit
  --max-redirects N  Max redirects, set 0 to disable (default: 2)
  --insecure         Do not verify TLS certificate chain (default: False)
  --json             JSON output instead of text (default: False)
  --no-color         Do not output colors in terminal (default: False)
  --verbose, -v      Verbose output (default: False)
```


## Example output
```
$ secheaders example.com
Header 'x-frame-options' is missing                                   [ WARN ]
Header 'strict-transport-security' is missing                         [ WARN ]
Header 'content-security-policy' is missing                           [ WARN ]
Header 'x-content-type-options' is missing                            [ WARN ]
Header 'x-xss-protection' is missing                                   [ OK ]
Header 'referrer-policy' is missing                                   [ WARN ]
Header 'permissions-policy' is missing                                [ WARN ]
server: ECAcc (nyd/D147)                                              [ WARN ]
HTTPS supported                                                        [ OK ]
HTTPS valid certificate                                                [ OK ]
HTTP -> HTTPS automatic redirect                                      [ WARN ]
```

## Design principles

The following design principles have been considered:

* Simplicity of the codebase. 
	* The code should be easy to understand and follow without in-depth Python knowledge.
* Avoidance of external dependencies.
	* The Python Standard Libary provides enough tools and libraries for quite many use cases.
* Unix philosophy in general 
	* *"Do one thing and do it well"*

These are not rules set in stone, but should be revisited when doing big design choices.
