SecHeaderAudit

🔒 A comprehensive HTTP security headers analyzer for penetration testers and web developers.

---

📖 Table of Contents

• Overview
• Features
• Installation
• Usage
• Headers Analyzed
• Cookie Security Analysis
• Scoring System
• Output Examples
• Contributing

---

🎯 Overview

SecHeaderAudit is a powerful Python tool designed to analyze HTTP security headers of web applications. It provides a detailed assessment of security configurations with weighted scoring, visual feedback, and actionable recommendations for improving web application security.

---

✨ Features

• Comprehensive Header Analysis: Checks 7 critical security headers
• Weighted Scoring System: Prioritizes more important security headers
• Cookie Security Audit: Analyzes HttpOnly, Secure, and SameSite flags
• Visual Feedback: Color-coded results for quick assessment
• Actionable Recommendations: Specific guidance for security improvements
• Professional Reporting: Clean, formatted output suitable for client reports

---

📦 Installation

Prerequisites

• Python 3.6+
• pip package manager

Install required packages

pip install requests colorama

Optional: Install figlet and lolcat for enhanced banner (Linux/Mac)

sudo apt-get install figlet lolcat  # Debian/Ubuntu
# or
brew install figlet lolcat         # macOS

Clone the repository

git clone https://github.com/OusH4x/SecHeaderAudit.git
cd SecHeaderAudit

---

🚀 Usage

Basic usage

python3 SecHeaderAudit.py -u https://example.com

Command line options

usage: SecHeaderAudit.py [-h] -u URL

SecHeaderAudit - HTTP Security Headers Analyzer

options:
  -h, --help         show this help message and exit
  -u URL, --url URL  URL to analyze

---

🔍 Headers Analyzed

Header	Importance	Description	Weight
Strict-Transport-Security (HSTS)	🔴 Critical	Enforces HTTPS connections	3.0
Content-Security-Policy (CSP)	🔴 Critical	Prevents XSS attacks	3.0
X-Content-Type-Options	🟠 High	Prevents MIME type sniffing	2.0
X-Frame-Options	🟠 High	Prevents clickjacking attacks	2.0
Referrer-Policy	🟠 High	Controls referrer information	2.0
Permissions-Policy	🟠 High	Controls browser features	2.0
X-XSS-Protection	🟡 Medium	Legacy XSS protection	1.0

---

🍪 Cookie Security Analysis

The tool analyzes Set-Cookie headers for three critical security flags:

Flag	Importance	Protection Against
HttpOnly	🔴 Critical	XSS attacks accessing cookies
Secure	🔴 Critical	Cookie transmission over HTTP
SameSite	🟠 High	CSRF attacks

---

📊 Scoring System

SecHeaderAudit uses a weighted scoring system to prioritize more critical security headers:

Header Weights

• Critical Headers (3.0): HSTS, CSP, Cookies
• High Importance (2.0): X-Content-Type-Options, X-Frame-Options, Referrer-Policy, Permissions-Policy
• Medium Importance (1.0): X-XSS-Protection

Scoring Calculation

Total Score = Σ(Header Score × Header Weight)
Maximum Score = Σ(Max Header Score × Header Weight)
Final Percentage = (Total Score / Maximum Score) × 100

Score Interpretation

• 90-100%: Excellent security posture
• 70-89%: Good, with minor improvements needed
• 50-69%: Fair, several security enhancements required
• Below 50%: Poor, significant security issues

---

👀 Output Examples

Successful Analysis

$ python3 SecHeaderAudit.py -u https://example.com

 ____            _   _                _            _             _ _ _   
/ ___|  ___  ___| | | | ___  __ _  __| | ___ _ __ / \  _   _  __| (_) |_ 
\___ \ / _ \/ __| |_| |/ _ \/ _` |/ _` |/ _ \ '__/ _ \| | | |/ _` | | __|
 ___) |  __/ (__|  _  |  __/ (_| | (_| |  __/ | / ___ \ |_| | (_| | | |_ 
|____/ \___|\___|_| |_|\___|\__,_|\__,_|\___|_|/_/   \_\__,_|\__,_|_|\__|

Made by OusH4x

Analyzing security headers for: https://example.com

Security Headers Analysis for: https://example.com
================================================
Security Score: 15.5/19.0 (81.6%)

Header Analysis:
----------------
HSTS: ✓ - max-age=31536000; includeSubDomains (2.0/2.0)
CSP: ✓ - default-src 'self'; script-src 'self' 'unsafe-inline'... (1.0/1.0)
X-Content-Type-Options: ✓ - nosniff (1.0/1.0)
X-Frame-Options: ✓ - SAMEORIGIN (1.0/1.0)
X-XSS-Protection: ✓ - 1; mode=block (1.0/1.0)
Referrer-Policy: ✓ - strict-origin-when-cross-origin (1.0/1.0)
Permissions-Policy: ✓ - geolocation=(), microphone=()... (1.0/1.0)

Cookie Analysis:
-----------------
Set-Cookie: sessionId=abc123; Secure; HttpOnly; SameSite=Strict
HttpOnly: ✓
Secure: ✓
SameSite: ✓
Cookie Security Score: 3.0/3.0

Recommendations:
----------------
- Improve HSTS: includeSubDomains and max-age>=31536000

Analysis with Security Issues

Security Score: 7.0/19.0 (36.8%)

Header Analysis:
----------------
HSTS: ✗ - Missing (0.0/2.0)
CSP: ✗ - Missing (0.0/1.0)
X-Content-Type-Options: ✗ - Missing (0.0/1.0)
X-Frame-Options: ✓ - DENY (1.0/1.0)
X-XSS-Protection: ✗ - Missing (0.0/1.0)
Referrer-Policy: ✗ - Missing (0.0/1.0)
Permissions-Policy: ✗ - Missing (0.0/1.0)

Cookie Analysis:
-----------------
Set-Cookie: session=abc123; path=/
HttpOnly: ✗
Secure: ✗
SameSite: ✗
Cookie Security Score: 0.0/3.0

Recommendations:
----------------
- Implement HSTS to enforce HTTPS connections
- Add Content Security Policy to prevent XSS attacks
- Set X-Content-Type-Options to 'nosniff'
- Enable X-XSS-Protection for legacy browsers
- Set Referrer-Policy to control referrer information
- Implement Permissions-Policy for feature control
- Add HttpOnly flag to cookies to prevent XSS access
- Add Secure flag to cookies for HTTPS-only transmission
- Implement SameSite attribute for CSRF protection

---

🤝 Contributing

We welcome contributions! Please feel free to submit pull requests, report bugs, or suggest new features.

Planned Features

• Batch scanning of multiple URLs
• JSON/CSV export functionality
• Comparison with OWASP security standards
• Integration with CI/CD pipelines
• Historical tracking of security improvements

---

👨‍💻 Author

OusH4x

SecHeaderAudit - Because security headers shouldn't be an afterthought.