{
    "info": {
        "author": "Ricardo Iramar dos Santos",
        "author_email": "ricardo.iramar@gmail.com",
        "bugtrack_url": null,
        "classifiers": [
            "License :: OSI Approved :: GNU General Public License v2 (GPLv2)",
            "Operating System :: OS Independent",
            "Programming Language :: Python :: 2.7"
        ],
        "description": "# hsecscan\n\nA security scanner for HTTP response headers.\n\n# Requirements\n\n* Python 2.x\n\n## Python Modules\n\n* os.path\n* argparse\n* sqlite3\n* urlparse\n* urllib2\n* urllib\n* json\n* ssl\n\n# Install\n\n```\n$ pip install hsecscan\n```\n\n# Usage\n\n```\n$ ./hsecscan.py \nusage: hsecscan.py [-h] [-P] [-p] [-H Header] [-u URL] [-R] [-i]\n                   [-U User-Agent] [-D DBFILE] [-d 'POST data'] [-x PROXY]\n                   [-a]\n\nA security scanner for HTTP response headers.\n\noptional arguments:\n  -h, --help            show this help message and exit\n  -P, --database        Print the entire response headers database.\n  -p, --headers         Print only the enabled response headers from database.\n  -H Header, --header Header\n                        Print details for a specific Header (example: Strict-\n                        Transport-Security).\n  -u URL, --URL URL     The URL to be scanned.\n  -R, --redirect        Print redirect headers.\n  -i, --insecure        Disable certificate verification.\n  -U User-Agent, --useragent User-Agent\n                        Set the User-Agent request header (default: hsecscan).\n  -D DBFILE, --dbfile DBFILE\n                        Set the database file (default: hsecscan.db).\n  -d 'POST data', --postdata 'POST data'\n                        Set the POST data (between single quotes) otherwise\n                        will be a GET (example: '{ \"q\":\"query string\",\n                        \"foo\":\"bar\" }').\n  -x PROXY, --proxy PROXY\n                        Set the proxy server (example: 192.168.1.1:8080).\n  -a, --all             Print details for all response headers. Good for check\n                        the related RFC.\n```\n\n# Example\n\n```\n$ ./hsecscan.py -i -u https://google.com\n>> RESPONSE INFO <<\nURL: https://www.google.com.br/?gfe_rd=cr&ei=GF5HV4ucH7DL8geg-aK4Dw\nCode: 200\nHeaders:\n Date: Thu, 26 May 2016 20:35:36 GMT\n Expires: -1\n Cache-Control: private, max-age=0\n Content-Type: text/html; charset=ISO-8859-1\n P3P: CP=\"This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info.\"\n Server: gws\n X-XSS-Protection: 1; mode=block\n X-Frame-Options: SAMEORIGIN\n Set-Cookie: NID=79=hDENeVI81zBYDtmqeCKAc5mxg6AQ-S24ahNqZ8El37rlJmYwUtgJg4vXAya7jKSyB2VqYI33JlLPacGonMPajpcDpUkb7mMtWMbNwIZQ8CyQBA1qXsRhjlLXU_4WExlI; expires=Fri, 25-Nov-2016 20:35:36 GMT; path=/; domain=.google.com.br; HttpOnly\n Alternate-Protocol: 443:quic\n Alt-Svc: quic=\":443\"; ma=2592000; v=\"34,33,32,31,30,29,28,27,26,25\"\n Accept-Ranges: none\n Vary: Accept-Encoding\n Connection: close\n\n>> RESPONSE HEADERS DETAILS <<\nHeader Field Name: X-XSS-Protection\nValue: 1; mode=block\nReference: http://blogs.msdn.com/b/ie/archive/2008/07/02/ie8-security-part-iv-the-xss-filter.aspx\nSecurity Description: This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. It's usually enabled by default anyway, so the role of this header is to re-enable the filter for this particular website if it was disabled by the user. This header is supported in IE 8+, and in Chrome (not sure which versions). The anti-XSS filter was added in Chrome 4. Its unknown if that version honored this header.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Use \"X-XSS-Protection: 1; mode=block\" whenever is possible (ref. http://blogs.msdn.com/b/ieinternals/archive/2011/01/31/controlling-the-internet-explorer-xss-filter-with-the-x-xss-protection-http-header.aspx).\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n\nHeader Field Name: Set-Cookie\nValue: NID=79=hDENeVI81zBYDtmqeCKAc5mxg6AQ-S24ahNqZ8El37rlJmYwUtgJg4vXAya7jKSyB2VqYI33JlLPacGonMPajpcDpUkb7mMtWMbNwIZQ8CyQBA1qXsRhjlLXU_4WExlI; expires=Fri, 25-Nov-2016 20:35:36 GMT; path=/; domain=.google.com.br; HttpOnly\nReference: https://tools.ietf.org/html/rfc6265\nSecurity Description: Cookies have a number of security pitfalls. In particular, cookies encourage developers to rely on ambient authority for authentication, often becoming vulnerable to attacks such as cross-site request forgery. Also, when storing session identifiers in cookies, developers often create session fixation vulnerabilities. Transport-layer encryption, such as that employed in HTTPS, is insufficient to prevent a network attacker from obtaining or altering a victim's cookies because the cookie protocol itself has various vulnerabilities. In addition, by default, cookies do not provide confidentiality or integrity from network attackers, even when used in conjunction with HTTPS.\nSecurity Reference: https://tools.ietf.org/html/rfc6265#section-8\nRecommendations: Please at least read these references: https://tools.ietf.org/html/rfc6265#section-8 and https://www.owasp.org/index.php/Session_Management_Cheat_Sheet#Cookies.\nCWE: CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute\nCWE URL: https://cwe.mitre.org/data/definitions/614.html\n\nHeader Field Name: Accept-Ranges\nValue: none\nReference: https://tools.ietf.org/html/rfc7233#section-2.3\nSecurity Description: Unconstrained multiple range requests are susceptible to denial-of-service attacks because the effort required to request many overlapping ranges of the same data is tiny compared to the time, memory, and bandwidth consumed by attempting to serve the requested data in many parts.\nSecurity Reference: https://tools.ietf.org/html/rfc7233#section-6\nRecommendations: Servers ought to ignore, coalesce, or reject egregious range requests, such as requests for more than two overlapping ranges or for many small ranges in a single set, particularly when the ranges are requested out of order for no apparent reason.\nCWE: CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')\nCWE URL: https://cwe.mitre.org/data/definitions/400.html\n\nHeader Field Name: Server\nValue: gws\nReference: https://tools.ietf.org/html/rfc7231#section-7.4.2\nSecurity Description: Overly long and detailed Server field values increase response latency and potentially reveal internal implementation details that might make it (slightly) easier for attackers to find and exploit known security holes.\nSecurity Reference: https://tools.ietf.org/html/rfc7231#section-7.4.2\nRecommendations: An origin server SHOULD NOT generate a Server field containing needlessly fine-grained detail and SHOULD limit the addition of subproducts by third parties.\nCWE: CWE-200: Information Exposure\nCWE URL: https://cwe.mitre.org/data/definitions/200.html\n\nHeader Field Name: Cache-Control\nValue: private, max-age=0\nReference: https://tools.ietf.org/html/rfc7234#section-5.2\nSecurity Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.  Because cache contents persist after an HTTP request is complete, an attack on the cache can reveal information long after a user believes that the information has been removed from the network.  Therefore, cache contents need to be protected as sensitive information.\nSecurity Reference: https://tools.ietf.org/html/rfc7234#section-8\nRecommendations: Do not store unnecessarily sensitive information in the cache.\nCWE: CWE-524: Information Exposure Through Caching\nCWE URL: https://cwe.mitre.org/data/definitions/524.html\n\nHeader Field Name: P3P\nValue: CP=\"This is not a P3P policy! See https://www.google.com/support/accounts/answer/151657?hl=en for more info.\"\nReference: http://www.w3.org/TR/P3P11/#syntax_ext\nSecurity Description: While P3P itself does not include security mechanisms, it is intended to be used in conjunction with security tools. Users' personal information should always be protected with reasonable security safeguards in keeping with the sensitivity of the information.\nSecurity Reference: http://www.w3.org/TR/P3P11/#principles_security\nRecommendations: -\nCWE: -\nCWE URL: -\n\nHeader Field Name: Content-Type\nValue: text/html; charset=ISO-8859-1\nReference: https://tools.ietf.org/html/rfc7231#section-3.1.1.5\nSecurity Description: In practice, resource owners do not always properly configure their origin server to provide the correct Content-Type for a given representation, with the result that some clients will examine a payload's content and override the specified type. Clients that do so risk drawing incorrect conclusions, which might expose additional security risks (e.g., \"privilege escalation\").\nSecurity Reference: https://tools.ietf.org/html/rfc7231#section-3.1.1.5\nRecommendations: Properly configure their origin server to provide the correct Content-Type for a given representation.\nCWE: CWE-430: Deployment of Wrong Handler\nCWE URL: https://cwe.mitre.org/data/definitions/430.html\n\nHeader Field Name: X-Frame-Options\nValue: SAMEORIGIN\nReference: https://tools.ietf.org/html/rfc7034\nSecurity Description: The use of \"X-Frame-Options\" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame (<frame> or <iframe>) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.\nSecurity Reference: https://tools.ietf.org/html/rfc7034\nRecommendations:  In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field \"X-Frame-Options\" to protect against clickjacking. Please check here https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet what's the best option for your case.\nCWE: CWE-693: Protection Mechanism Failure\nCWE URL: https://cwe.mitre.org/data/definitions/693.html\n\n>> RESPONSE MISSING HEADERS <<\nHeader Field Name: Pragma\nReference: https://tools.ietf.org/html/rfc7234#section-5.4\nSecurity Description: Caches expose additional potential vulnerabilities, since the contents of the cache represent an attractive target for malicious exploitation.\nSecurity Reference: https://tools.ietf.org/html/rfc7234#section-8\nRecommendations: The \"Pragma\" header field allows backwards compatibility with HTTP/1.0 caches, so that clients can specify a \"no-cache\" request that they will understand (as Cache-Control was not defined until HTTP/1.1). When the Cache-Control header field is also present and understood in a request, Pragma is ignored. Define \"Pragma: no-cache\" whenever is possible.\nCWE: CWE-524: Information Exposure Through Caching\nCWE URL: https://cwe.mitre.org/data/definitions/524.html\n\nHeader Field Name: Public-Key-Pins\nReference: https://tools.ietf.org/html/rfc7469\nSecurity Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.\nSecurity Reference: https://tools.ietf.org/html/rfc7469\nRecommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.\nCWE: CWE-295: Improper Certificate Validation\nCWE URL: https://cwe.mitre.org/data/definitions/295.html\n\nHeader Field Name: Public-Key-Pins-Report-Only\nReference: https://tools.ietf.org/html/rfc7469\nSecurity Description: HTTP Public Key Pinning (HPKP) is a trust on first use security mechanism which protects HTTPS websites from impersonation using fraudulent certificates issued by compromised certificate authorities. The security context or pinset data is supplied by the site or origin.\nSecurity Reference: https://tools.ietf.org/html/rfc7469\nRecommendations: Deploying Public Key Pinning (PKP) safely will require operational and organizational maturity due to the risk that hosts may make themselves unavailable by pinning to a set of SPKIs that becomes invalid. With care, host operators can greatly reduce the risk of man-in-the-middle (MITM) attacks and other false- authentication problems for their users without incurring undue risk. PKP is meant to be used together with HTTP Strict Transport Security (HSTS) [RFC6797], but it is possible to pin keys without requiring HSTS.\nCWE: CWE-295: Improper Certificate Validation\nCWE URL: https://cwe.mitre.org/data/definitions/295.html\n\nHeader Field Name: Strict-Transport-Security\nReference: https://tools.ietf.org/html/rfc6797\nSecurity Description: HTTP Strict Transport Security (HSTS) is a web security policy mechanism which helps to protect secure HTTPS websites against downgrade attacks and cookie hijacking. It allows web servers to declare that web browsers (or other complying user agents) should only interact with it using secure HTTPS connections, and never via the insecure HTTP protocol. HSTS is an IETF standards track protocol and is specified in RFC 6797.\nSecurity Reference: https://tools.ietf.org/html/rfc6797\nRecommendations: Please at least read this reference: https://www.owasp.org/index.php/HTTP_Strict_Transport_Security.\nCWE: CWE-311: Missing Encryption of Sensitive Data\nCWE URL: https://cwe.mitre.org/data/definitions/311.html\n\nHeader Field Name: Frame-Options\nReference: https://tools.ietf.org/html/rfc7034\nSecurity Description: The use of \"X-Frame-Options\" allows a web page from host B to declare that its content (for example, a button, links, text, etc.) must not be displayed in a frame (<frame> or <iframe>) of another page (e.g., from host A). This is done by a policy declared in the HTTP header and enforced by browser implementations.\nSecurity Reference: https://tools.ietf.org/html/rfc7034\nRecommendations:  In 2009 and 2010, many browser vendors ([Microsoft-X-Frame-Options] and [Mozilla-X-Frame-Options]) introduced the use of a non-standard HTTP [RFC2616] header field \"X-Frame-Options\" to protect against clickjacking. Please check here https://www.owasp.org/index.php/Clickjacking_Defense_Cheat_Sheet what's the best option for your case.\nCWE: CWE-693: Protection Mechanism Failure\nCWE URL: https://cwe.mitre.org/data/definitions/693.html\n\nHeader Field Name: X-Content-Type-Options\nReference: http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx\nSecurity Description: The only defined value, \"nosniff\", prevents Internet Explorer and Google Chrome from MIME-sniffing a response away from the declared content-type. This also applies to Google Chrome, when downloading extensions. This reduces exposure to drive-by download attacks and sites serving user uploaded content that, by clever naming, could be treated by MSIE as executable or dynamic HTML files.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Always use the only defined value, \"nosniff\".\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n\nHeader Field Name: Content-Security-Policy\nReference: http://www.w3.org/TR/CSP/\nSecurity Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n\nHeader Field Name: X-Content-Security-Policy\nReference: http://www.w3.org/TR/CSP/\nSecurity Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n\nHeader Field Name: X-WebKit-CSP\nReference: http://www.w3.org/TR/CSP/\nSecurity Description: Content Security Policy requires careful tuning and precise definition of the policy. If enabled, CSP has significant impact on the way browser renders pages (e.g., inline JavaScript disabled by default and must be explicitly allowed in policy). CSP prevents a wide range of attacks, including Cross-site scripting and other cross-site injections.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n\nHeader Field Name: Content-Security-Policy-Report-Only\nReference: http://www.w3.org/TR/CSP/\nSecurity Description: Like Content-Security-Policy, but only reports. Useful during implementation, tuning and testing efforts.\nSecurity Reference: https://www.owasp.org/index.php/List_of_useful_HTTP_headers\nRecommendations: Read the reference http://www.w3.org/TR/CSP/ and set according to your case. This is not a easy job.\nCWE: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')\nCWE URL: https://cwe.mitre.org/data/definitions/79.html\n```\n\n# Author\n\n* [Ricardo Iramar dos Santos](ricardo.iramar@gmail.com)\n\n",
        "description_content_type": "",
        "docs_url": null,
        "download_url": "",
        "downloads": {
            "last_day": -1,
            "last_month": -1,
            "last_week": -1
        },
        "home_page": "https://github.com/riramar/hsecscan/blob/master/README.md",
        "keywords": "",
        "license": "",
        "maintainer": "",
        "maintainer_email": "",
        "name": "hsecscan",
        "package_url": "https://pypi.org/project/hsecscan/",
        "platform": "",
        "project_url": "https://pypi.org/project/hsecscan/",
        "project_urls": {
            "Homepage": "https://github.com/riramar/hsecscan/blob/master/README.md"
        },
        "release_url": "https://pypi.org/project/hsecscan/0.0.1/",
        "requires_dist": null,
        "requires_python": "",
        "summary": "A security scanner for HTTP response headers.",
        "version": "0.0.1"
    },
    "last_serial": 4022942,
    "releases": {
        "0.0.1": [
            {
                "comment_text": "",
                "digests": {
                    "md5": "d784d42a90acbb0667ec38379155d3c4",
                    "sha256": "27c1493180676a24d68f61be1c9c7e0451b58f44ce7a9ab1428fae7e14ffea09"
                },
                "downloads": -1,
                "filename": "hsecscan-0.0.1-py2-none-any.whl",
                "has_sig": false,
                "md5_digest": "d784d42a90acbb0667ec38379155d3c4",
                "packagetype": "bdist_wheel",
                "python_version": "py2",
                "requires_python": null,
                "size": 31655,
                "upload_time": "2018-07-02T13:35:04",
                "url": "https://files.pythonhosted.org/packages/2e/8e/7e32a1707069a46303e65390e68a6d513dbb5844eb3f350587f3467943d1/hsecscan-0.0.1-py2-none-any.whl"
            },
            {
                "comment_text": "",
                "digests": {
                    "md5": "a9dba9539381b06625b2e9d6d6db21d4",
                    "sha256": "d2e17770876c398926cb2dded9182209ea617b4a4edbe1d61443888dfe61b1b2"
                },
                "downloads": -1,
                "filename": "hsecscan-0.0.1.tar.gz",
                "has_sig": false,
                "md5_digest": "a9dba9539381b06625b2e9d6d6db21d4",
                "packagetype": "sdist",
                "python_version": "source",
                "requires_python": null,
                "size": 28353,
                "upload_time": "2018-07-02T13:35:05",
                "url": "https://files.pythonhosted.org/packages/65/b4/f776f0278721d703c0a0bf75b8dcff15e4169495ec7986b4e003f13f7071/hsecscan-0.0.1.tar.gz"
            }
        ]
    },
    "urls": [
        {
            "comment_text": "",
            "digests": {
                "md5": "d784d42a90acbb0667ec38379155d3c4",
                "sha256": "27c1493180676a24d68f61be1c9c7e0451b58f44ce7a9ab1428fae7e14ffea09"
            },
            "downloads": -1,
            "filename": "hsecscan-0.0.1-py2-none-any.whl",
            "has_sig": false,
            "md5_digest": "d784d42a90acbb0667ec38379155d3c4",
            "packagetype": "bdist_wheel",
            "python_version": "py2",
            "requires_python": null,
            "size": 31655,
            "upload_time": "2018-07-02T13:35:04",
            "url": "https://files.pythonhosted.org/packages/2e/8e/7e32a1707069a46303e65390e68a6d513dbb5844eb3f350587f3467943d1/hsecscan-0.0.1-py2-none-any.whl"
        },
        {
            "comment_text": "",
            "digests": {
                "md5": "a9dba9539381b06625b2e9d6d6db21d4",
                "sha256": "d2e17770876c398926cb2dded9182209ea617b4a4edbe1d61443888dfe61b1b2"
            },
            "downloads": -1,
            "filename": "hsecscan-0.0.1.tar.gz",
            "has_sig": false,
            "md5_digest": "a9dba9539381b06625b2e9d6d6db21d4",
            "packagetype": "sdist",
            "python_version": "source",
            "requires_python": null,
            "size": 28353,
            "upload_time": "2018-07-02T13:35:05",
            "url": "https://files.pythonhosted.org/packages/65/b4/f776f0278721d703c0a0bf75b8dcff15e4169495ec7986b4e003f13f7071/hsecscan-0.0.1.tar.gz"
        }
    ]
}