"ๅ้ไน่ก๏ผๅงๆผ่ถณไธ - ่ๅญ"
("A journey of a thousand miles begins with a single step. - Lao Tzu")
"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"
Features
Screenshots
Installation & Update
Installation & Maintenance (Docker)
Usage
Advanced Usage (Linux)
Checks: Missing Headers
Checks: Fingerprint Headers
Checks: Deprecated Headers and Insecure Values
Checks: Empty Values
Guidelines included
To-Do
Further Reading
Contribute
Acknowledgements
License
โ๏ธ 54 checks for enabled security-related HTTP response headers.
โ๏ธ 14 checks for missing security-related HTTP response headers (the ones I consider essential).
โ๏ธ 1186 checks for fingerprinting through HTTP response headers.
โ๏ธ 120 checks for deprecated HTTP response headers/protocols or with insecure/wrong values.
โ๏ธ SSL/TLS checks: requires the amazing https://testssl.sh/.
โ๏ธ Browser support references for enabled HTTP security headers: provided by https://caniuse.com/.
โ๏ธ Two types of analysis: brief and detailed, along with HTTP response headers.
โ๏ธ Can exclude specific HTTP response headers from the analysis.
โ๏ธ Can export each analysis to CSV, HTML5, JSON, PDF 1.4 and TXT (and in a filename and path of your choice).
โ๏ธ Can analyze 'raw response files': text files with HTTP response headers and values. Ex: curl option '--dump-header'.
โ๏ธ Highlights experimental headers in each analysis.
โ๏ธ Each detailed analysis may include up to dozens of official links, references and technical articles.
โ๏ธ l10n: can display each analysis, the messages and almost all errors in English or Spanish.
โ๏ธ Saves each analysis, showing at the end the improvements or deficiencies in relation to the last one.
โ๏ธ Can display analysis statistics: either against a specific URL or all of them.
โ๏ธ Can display fingerprint statistics: either against a specific term or the Top 20.
โ๏ธ Can display guidelines: for enabling security HTTP response headers on popular frameworks, servers and services.
โ๏ธ Code reviewed via Bandit, Flake8, pyinstrument, SonarLint, Sourcery and vermin.
โ๏ธ Tested, one by one, on thousands of URLs.
โ๏ธ Tested on Docker 26.1, Kali Linux 2021.1, macOS 14.2.1 and Windows 10 20H2.
โ๏ธ Almost all the code under one of the most permissive licenses: MIT.
โ๏ธ Regularly updated.
โ๏ธ Minimal dependencies required.
โ๏ธ Featured on Artemis, DefectDojo, HackTricks, Kali Linux and OWASP.
โ๏ธ Developed entirely in my spare time, no strings attached: feel free to try it out and integrate it into your projects!.
โ๏ธ And with the approval of several AI ๐!.
.: (Windows) - Brief analysis.
.: (Linux) - Brief analysis along with HTTP response headers.
.: (Linux) - Detailed analysis, in Spanish.
.: (Linux) - Analysis of a "raw response file". Example.
.: (Linux) - SSL/TLS checks.
Options used: -f -g -p -U -s --hints
.: (Linux) - List of HTTP fingerprint headers based on a specific term.
.: (Linux) - Brief analysis saved as CSV. Example.
.: (Windows) - Detailed analysis saved as PDF. Example.
.: (Linux) - Detailed analysis saved as HTML. Example.
.: (Linux) - Brief analysis saved as JSON. Example.
.: (Linux) - Analysis history file: Date, URL, Enabled, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals).
.: (Linux) - Statistics of the analysis performed against a specific URL.
.: (Linux) - Statistics of the analysis performed against all URLs, in Spanish.
Note
Python 3.8 or higher is required.
# Install python3 and python3-pip:
# (Windows) https://www.python.org/downloads/windows/
# (Linux) if not installed by default, install them via, e.g. Synaptic, apt, dnf, yum ...
# (macOS) https://www.python.org/downloads/macos/
# Install Git:
# (Windows) https://git-scm.com/download/win
# (Linux) https://git-scm.com/download/linux
# (macOS) https://git-scm.com/download/mac
# Setting up a virtual environment in Python (pending how to do it in Windows)
# '/home/bluesman/humble_venv' is a example path for the virtual environment
$ python3 -m venv /home/bluesman/humble_venv
$ source /home/bluesman/humble_venv/bin/activate
$ cd /home/bluesman/humble_venv/
$ git clone https://github.com/rfc-st/humble.git
$ cd humble
$ pip3 install -r requirements.txt
# Good practice: deactivate the virtual environment after you have finished using 'humble'
$ deactivate
# Activate the virtual environment to analyze URLs again with 'humble'
$ cd /home/bluesman/humble_venv/
$ source /home/bluesman/humble_venv/bin/activate
$ cd humble
# Updating (weekly): activate the virtual environment and from 'humble' folder
$ git pull
# Updating (Release): activate the virtual environment, download the source code
# .zip file of the most recent Asset and unzip it in the 'humble' folder, overwriting files.
https://github.com/rfc-st/humble/releases
Note
Python 3.8 will be used to build the image.
# Install Docker, and make sure it's running:
# E.g. (Linux): https://www.kali.org/docs/containers/installing-docker-on-kali/
# E.g. (macOs): https://docs.docker.com/desktop/install/mac-install/
# E.g. (Windows): https://docs.docker.com/desktop/install/windows-install/
# Build the image, providing the TAG as the latest Release of 'humble': '1.42' in this example.
# https://github.com/rfc-st/humble/releases (Windows may require elevated console privileges)
$ docker build -t humble:1.42 .
# Run the analysis specifying the above TAG, along with the specific options for 'humble':
# '-it', required: allocate a pseudo-TTY and keep the input interactive
# '-rm', required: automatically remove the container and associated anonymous volumes when it exits
# (Linux/macOS)
# E.g. Analyze https://facebook with a brief analysis:
$ docker run -it --rm --name humble humble:1.42 /bin/bash -c "python3 humble.py -u https://facebook.com -b"
# (Windows)
# E.g. Analyze https://facebook with a brief analysis:
$ docker run -it --rm --name humble humble:1.42 python3 humble.py -u https://facebook.com -b
# Removing (and untagging) previous images of 'humble' after upgrading to the latest release.
$ docker rmi humble:1.42
(Windows) $ py humble.py
(Linux) $ python3 humble.py
(macOS) $ python3 humble.py
usage: humble.py [-h] [-a] [-b] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-grd] [-if INPUT_FILE] [-l {es}] [-lic] [-o {csv,html,json,pdf,txt}] [-of OUTPUT_FILE]
[-op OUTPUT_PATH] [-r] [-s [SKIP_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]
'humble' (HTTP Headers Analyzer) | https://github.com/rfc-st/humble | v.2024-12-03
options:
-h, --help show this help message and exit
-a Shows statistics of the performed analysis; if the '-u' parameter is ommited they will be global
-b Shows overall findings; if omitted detailed ones will be shown
-df Do not follow redirects; if omitted the last redirection will be the one analyzed
-e [TESTSSL_PATH] Shows TLS/SSL checks; requires the PATH of https://testssl.sh/
-f [FINGERPRINT_TERM] Shows fingerprint statistics; if 'FINGERPRINT_TERM' (e.g., 'Google') is omitted the top 20 results will be shown
-g Shows guidelines for enabling security HTTP response headers on popular frameworks, servers and services
-grd Shows the checks to grade an analysis, along with advice for improvement
-if INPUT_FILE Analyzes 'INPUT_FILE': must contain HTTP response headers and values separated by ': '; E.g. 'server: nginx'.
-l {es} Defines the language for displaying analysis, errors and messages; if omitted, will be shown in English
-lic Shows the license for 'humble', along with permissions, limitations and conditions.
-o {csv,html,json,pdf,txt} Exports analysis to 'humble_scheme_URL_port_yyyymmdd_hhmmss_language.ext' file; csv/json will have a brief analysis
-of OUTPUT_FILE Exports analysis to 'OUTPUT_FILE'; if omitted the default filename of the parameter '-o' will be used
-op OUTPUT_PATH Exports analysis to 'OUTPUT_PATH'; must be absolute. If omitted the PATH of 'humble.py' will be used
-r Shows HTTP response headers and a detailed analysis; '-b' parameter will take priority
-s [SKIP_HEADERS ...] Skips 'deprecated/insecure' and 'missing' checks for the indicated 'SKIP_HEADERS' (separated by spaces)
-u URL Scheme, host and port to analyze. E.g. https://google.com
-ua USER_AGENT User-Agent ID from 'additional/user_agents.txt' file to use. '0' will show all and '1' is the default
-v, --version Checks for updates at https://github.com/rfc-st/humble
examples:
-u URL -a Shows statistics of the analysis performed against the URL
-u URL -b Analyzes URL and reports overall findings
-u URL -b -o csv Analyzes URL and exports overall findings to CSV format
-u URL -l es Analyzes URL and reports (in Spanish) detailed findings
-u URL -o pdf Analyzes URL and exports detailed findings to PDF format
-u URL -o html -of test Analyzes URL and exports detailed findings to HTML format and 'test' filename
-u URL -o pdf -op D:/Tests Analyzes URL and exports detailed findings to PDF format and 'D:/Tests' path
-u URL -r Analyzes URL and reports detailed findings along with HTTP response headers
-u URL -s ETag NEL Analyzes URL and skips 'deprecated/insecure' and 'missing' checks for 'ETag' and 'NEL' headers
-u URL -ua 4 Analyzes URL using the fourth User-Agent of 'additional/user_agents.txt' file
-a -l es Shows statistics (in Spanish) of the analysis performed against all URLs
-f Google Shows HTTP fingerprint headers related to the term 'Google'
.: Show only the analysis summary.
$ python3 humble.py -u https://www.spacex.com | grep -A 8 "\!." | sed $'1i \n'
.: Show only the URL, date and analysis summary.
$ python3 humble.py -u https://www.spacex.com | grep -A8 -E "0. Info|\!." | grep -v "^\[1\." | sed 's/[--]//g' | sed -e '/./b' -e :n -e 'N;s/\n$//;tn' | sed '5,6d' | sed '1i\'
.: Show only the deprecated headers/protocols and insecure values.
$ python3 humble.py -u https://www.spacex.com | sed -n '/\[4/,/^\[5/ { /^\[5/!p }' | sed '$d' | sed $'1i \n'
.: Check for HTTP client errors (4XX).
$ python3 humble.py -u https://my.prelude.software/demo/index.pl | grep -A1 -B5 'Note : \|Nota : ' --color=never
.: Analyze multiple URLs and save the results as PDFs.
$ datasets=('https://facebook.com' 'https://github.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done
Check this file.
Check this file.
Check this file.
Check this file.
Note
humble tries to be strict: both in checking HTTP response headers and their values; some of these headers may be experimental and you may not agree with all the results after analysis.
And that's OK! ๐; you should never blindly trust the results of security tools: there should be further work to decide whether the risk is non-existent, potential or real depending on the analyzed URL (its exposure, environment, etc).
Any HTTP response header.
- Amazon Web Services
- Angular
- Apache HTTP Server
- Cloudflare
- LiteSpeed Web Server
- Microsoft Internet Information Services
- Nginx
- Node.js
- Spring
- WordPress
- Add more Header/Value checks (only security-oriented)
- A new detailed analysis of all CSP directives/values (W3C Level 2 & 3)
- Google Style Python Docstrings and documentation via Sphinx
https://caniuse.com/
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
https://github.com/search?q=http+headers+analyze
https://github.com/search?q=http+headers+secure
https://github.com/search?q=http+headers+security
https://owasp.org/www-project-secure-headers/
https://securityheaders.com/
https://scotthelme.co.uk/
https://webtechsurvey.com/common-response-headers
https://www.w3.org
- Read this first!.
- Report a Bug.
- Create a Feature request.
- Report a Security Vulnerability.
- Send me your suggestions: [email protected]
- Or use that email to tell me about integrations of this tool in others!
- And to recommend me a good Blues! ๐
Thanks for downloading 'humble', for trying it and for your time!.
- Bandit, colorama, Flake8, fpdf2, pyinstrument, requests, SonarLint, Sourcery, testssl.sh, tldextract and Vermin authors/teams: you rock ๐ค!.
- Aniket Navlur for this gem.
- Azathothas for reporting this bug.
- bulaktm for this suggestion.
- confuciussayuhm for this suggestion.
- cr4zyfish for some of these suggestions.
- danterolle for this.
- David for believing in the usefulness of this tool.
- Eduardo for the first Demo and the example "(Linux) - Analyze multiple URLs and save the results as PDFs".
- gl4nce for this suggestion.
- ฤฐDRฤฐS BUDAK for reporting the need to this check.
- Julio for testing on macOS.
- kazet for this suggestion.
- manuel-sommer for this, this and this!.
- MikeAnast for several suggestions.
- n3bojs4, ehlewis and dkadev for this and this.
- sophie for keeping 'humble' updated in Kali Linux and for this.
- stanley101music for this, this and this!.
- vincentcox for this and this.
MIT ยฉ 2020-2024 Rafa 'Bluesman' Faura ([email protected])
Original Creator - Rafa 'Bluesman' Faura ([email protected])