http-security-headers NSE script — Nmap Scripting Engine documentation (original) (raw)

Script Arguments Example Usage Script Output

Script types: portrule
Categories:discovery, safe
Download: https://svn.nmap.org/nmap/scripts/http-security-headers.nse

Script Summary

Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.

The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The script checks for HSTS(HTTP Strict Transport Security), HPKP(HTTP Public Key Pins), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Permitted-Cross-Domain-Policies, Set-Cookie, Expect-CT, Cache-Control, Pragma and Expires.

References: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Script Arguments

http-security-headers.path

The URL path to request. The default path is "/".

slaxml.debug

See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p --script http-security-headers

Script Output

80/tcp open http syn-ack | http-security-headers: | Strict_Transport_Security: | Header: Strict-Transport-Security: max-age=15552000; preload | Public_Key_Pins_Report_Only: | Header: Public-Key-Pins-Report-Only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/" | X_Frame_Options: | Header: X-Frame-Options: DENY | Description: The browser must not display this content in any frame. | X_XSS_Protection: | Header: X-XSS-Protection: 0 | Description: The XSS filter is disabled. | X_Content_Type_Options: | Header: X-Content-Type-Options: nosniff | Will prevent the browser from MIME-sniffing a response away from the declared content-type. | Content-Security-Policy: | Header: Content-Security-Policy: script-src 'self' | Description: Loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback). | X-Permitted-Cross-Domain-Policies: | Header: X-Permitted-Cross-Domain-Policies: none | Description : No policy files are allowed anywhere on the target server, including this master policy file. | Cache_Control: | Header: Cache-Control: private, no-cache, no-store, must-revalidate | Pragma: | Header: Pragma: no-cache | Expires: |_ Header: Expires: Sat, 01 Jan 2000 00:00:00 GMT

Requires

• http
• shortport
• stdnse
• table
• string

Authors:

License: Same as Nmap--See https://nmap.org/book/man-legal.html