H2T – Scans A Website And Suggests Security Headers To Apply

h2t is a simple tool to help sysadmins to hardening their websites.Until now h2t checks the website headers and recommends how to make it better.DependencesPython 3coloramarequestsInstall$ git clone https://github.com/gildasio/h2t$ cd h2t$ pip install -r requirements.txt$ ./h2t.py -hUsageh2t has subcommands: list and scan.$ ./h2t.py -husage: h2t.py [-h] {list,l,scan,s} …h2t – HTTP Hardening Toolpositional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headersoptional arguments: -h, –help show this help message and exitList SubcommandThe list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to’s.$ ./h2t.py list -husage: h2t.py list [-h] [-p PRINT [PRINT …]] [-B] [-a | -H HEADERS [HEADERS …]]optional arguments: -h, –help show this help message and exit -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, –no-banner don’t print the h2t banner -a, –all list all available headers [default] -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] a list of headers to look for in the h2t catalogScan SubcommandThe scan subcommand perform a scan in a website looking for their headers.$ ./h2t.py scan -husage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS …]] [-p PRINT [PRINT …]] [-i IGNORE_HEADERS [IGNORE_HEADERS …]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] urlpositional arguments: url url to look foroptional arguments: -h, –help show this help message and exit -v, –verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, –all scan all cataloged headers [default] -g, –good scan good headers only -b, –bad scan bad headers only -H HEADERS [HEADERS …], –headers HEADERS [HEADERS …] scan only these headers (see available in list sub- command) -p PRINT [PRINT …], –print PRINT [PRINT …] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS …], –ignore-headers IGNORE_HEADERS [IGNORE_HEADERS …] a list of headers to ignore in the results -B, –no-banner don’t print the h2t banner -E, –no-explanation don’t print the h2t output explanation -o {normal,csv,json}, –output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, –no-redirect don’t follow http redirects -u USER_AGENT, –user-agent USER_AGENT set user agent to scan request -k, –insecure don’t verify SSL certificate as valid -r, –recommendation output only recommendations [default] -s, –status output actual status (eg: existent headers only)OutputFor now the output is only in normal mode. Understant it as follows:[+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.[+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.[-] Green Headers are good headers that is already used in your website. It’s shown when use -s flag.Example:Cookie HTTP Only would be good to be appliedCookie over SSL/TLS would be good to be appliedServer header would be good to be removedReferrer-Policy would be good to be appliedX-Frame-Options is already in use, nothing to do hereX-XSS-Protection is already in use, nothing to do hereScreenshotsList h2t catalogScan from fileScan urlScan verboseHeaders informationDownload H2T

Link: http://feedproxy.google.com/~r/PentestTools/~3/LaZLa7zlv9k/h2t-scans-website-and-suggests-security.html