A Python CLI tool for analyzing HTTP security headers. Scans target URLs, evaluates security posture, and provides a letter grade with detailed breakdown.
- Security Header Analysis – Checks for HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and more
- Security Grading – Letter grade (A+ to F) based on header configuration
- HSTS Preload Detection – Sites on browser preload lists get automatic A+ rating
- Sensitive Header Detection – Flags headers that may leak server/stack details
- Flexible Requests – Custom headers, User-Agent override, timeout, and SSL bypass options
# Clone and setup virtual environment
git clone https://github.com/negoro26/Header-analyzer.git
cd Header-analyzer
# Windows
py -3 -m venv .venv && .\.venv\Scripts\Activate.ps1
# macOS/Linux
python3 -m venv .venv && source .venv/bin/activate
# Install dependencies
pip install requestspython header_scanner.py <url> [options]| Flag | Description |
|---|---|
-k, --insecure |
Skip SSL certificate verification |
--timeout <int> |
Request timeout in seconds (default: 10) |
--user-agent <string> |
Override User-Agent header |
-H, --header "Key: Value" |
Add custom request header (repeatable) |
--no-default-headers |
Start with empty header set |
--json |
Output headers as prettified JSON |
# Basic scan
python header_scanner.py example.com
# Skip SSL verification with shorter timeout
python header_scanner.py https://example.com -k --timeout 5
# Custom headers
python header_scanner.py https://example.com --user-agent "MyScanner/1.0" \
-H "Accept-Language: en-US"Sites are graded based on security header presence and configuration:
| Grade | Score | Description |
|---|---|---|
| A+ | — | Browser Trusted (HSTS preloaded) |
| A+ | 90%+ | Excellent |
| A | 75%+ | Very Good |
| B | 60%+ | Good |
| C | 45%+ | Acceptable |
| D | 30%+ | Poor |
| F | <30% | Critical |
- HTTPS Baseline: +25 pts
- Strict-Transport-Security: +25 pts
- Content-Security-Policy: +20 pts
- X-Content-Type-Options: +10 pts
- X-Frame-Options: +10 pts
- Referrer-Policy: +5 pts
- Permissions-Policy: +5 pts
- Sensitive headers exposed: -2 pts each (max -10)
Sites in the HSTS Preload List receive automatic A+ since browsers enforce HTTPS at the protocol level.
[+] Target: https://twitter.com
[+] Status Code: 200
============================================================
[+] SECURITY GRADE
============================================================
Grade: A+ (Browser Trusted)
★ This site is in the HSTS Preload List (twitter.com)
★ HSTS is built into all major browsers (Chrome, Firefox, Safari, Edge)
★ Browsers will ALWAYS use HTTPS for this site, even on first visit
★ Header analysis is not needed - browser-level trust is the gold standard
- Python 3.8+
- requests
MIT