GitHub - rfc-st/humble: A humble, and 𝗳𝗮𝘀𝘁, security-oriented HTTP headers analyzer. (original) (raw)

humble

A humble, and fast, security-oriented HTTP headers analyzer

Table of contents

Features

✔️ 58 checks for enabled security-related HTTP response headers.
✔️ 14 checks for missing security-related HTTP response headers (the ones I consider essential).
✔️ 1234 checks for fingerprinting through HTTP response headers.
✔️ 140 checks for deprecated HTTP response headers/protocols or with insecure/wrong values.
✔️ 16 checks related to Content Security Policy Level 3.
✔️ Can check for compliance with the OWASP Secure Headers Project Best Practices.
✔️ Can exclude specific HTTP response headers from the analysis.
✔️ Can analyze raw response files: text files with HTTP response headers and values. Ex: curl option '--dump-header'.
✔️ Can export each analysis to CSV, HTML5, JSON, PDF 1.4, TXT and XML (and in a filename and path of your choice).
✔️ Can check for outdated SSL/TLS protocols and vulnerabilities: requires the amazing https://testssl.sh/.
✔️ Can provide brief and detailed analysis along with HTTP response headers.
✔️ Includes browser support references for enabled HTTP security headers: provided by https://caniuse.com/.
✔️ Highlights experimental headers in each analysis.
✔️ Each detailed analysis may include up to dozens of official links, references and technical articles.
✔️ Can display analysis, messages, and most errors in either English or Spanish.
✔️ Saves each analysis and highlights improvements or deficiencies compared to the previous one.
✔️ Can display analysis statistics for a specific URL or across all of them.
✔️ Can display fingerprint statistics for a specific term or the Top 20.
✔️ Can display guidelines for enabling security HTTP response headers on popular frameworks, servers, and services.
✔️ Code reviewed via Bandit, Flake8, pyinstrument, SonarQube for IDE and Sourcery.
✔️ Tested, one by one, on thousands of URLs.
✔️ Tested on Docker 26.1, Kali Linux 2021.1, macOS 14.2.1 and Windows 10 20H2.
✔️ Almost all the code available under one of the most permissive licenses: MIT.
✔️ Regularly updated.
✔️ Minimal dependencies required.
✔️ Developed entirely in my spare time, no strings attached: feel free to try it out and integrate it into your projects!.
✔️ And with the approval of several AI 😄!.

Screenshots

.: (Windows) - Brief analysis.

(Windows) - Brief analysis

.: (Linux) - Brief analysis along with HTTP response headers.

(Linux) - Brief analysis along with HTTP response headers

.: (Linux) - Detailed analysis, in Spanish.

(Linux) - Detailed analysis in Spanish

.: (Linux) - Analysis of a "raw response file". Example.

(Linux) - Analysis of a raw response file

.: (Linux) - SSL/TLS checks.

Options used: -f -g -p -U -s --hints

(Linux) - SSL/TLS checks (requires https://testssl.sh/ and Linux/Unix client)

.: (Linux) - Compliance with OWASP 'Secure Headers Project' best practices.

(Linux) - Compliance with OWASP 'Secure Headers Project' best practices

.: (Linux) - List of HTTP fingerprint headers based on a specific term.

(Linux) - List of HTTP fingerprint headers based on a specific term

.: (Linux) - Brief analysis saved as CSV. Example.

(Linux) - Brief analysis saved as CSV

.: (Windows) - Detailed analysis saved as PDF. Example.

(Windows) - Detailed analysis saved as PDF

.: (Linux) - Detailed analysis saved as HTML. Example.

(Linux) - Detailed analysis saved as HTML

.: (Linux) - Brief analysis saved as JSON. Example.

(Linux) - Brief analysis saved as JSON

.: (Linux) - Brief analysis saved as XML. Example.

(Linux) - Brief analysis saved as XML

.: (Linux) - Analysis history file: Date, URL, Enabled, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals).

(Linux) - Analysis history file: Date, URL, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals)

.: (Linux) - Statistics of the analysis performed against a specific URL.

(Linux) - Statistics of the analysis performed against a specific URL

.: (Linux) - Statistics of the analysis performed against all URLs, in Spanish.

(Linux) - Statistics of the analysis performed against all URLs in Spanish

.: (Windows) - Checking for updates

(Windows) - Checking for updates

Installation & update (Source code)

Note

Python 3.9 or higher is required.

Install python3 and python3-pip:

(Windows) https://www.python.org/downloads/windows/

(Linux) if not available, install them: e.g. Synaptic, apt, dnf, yum ...

(macOS) https://www.python.org/downloads/macos/

Install Git:

(Windows) https://git-scm.com/download/win

(Linux) https://git-scm.com/download/linux

(macOS) https://git-scm.com/download/mac

Set up a virtual environment (pending how to do it in Windows), download 'humble' and its dependencies

'/home/bluesman/humble_venv' is a example path for the virtual environment

$ python3 -m venv /home/bluesman/humble_venv $ source /home/bluesman/humble_venv/bin/activate $ cd /home/bluesman/humble_venv/ $ git clone https://github.com/rfc-st/humble.git $ cd humble $ pip3 install -r requirements.txt

Analyze! :). Linux and Windows examples

$ python3 humble.py -u https://google.com $ py humble.py -u https://google.com

Good practice: deactivate the virtual environment after you have finished using 'humble'

$ deactivate

Activate the virtual environment to analyze URLs again with 'humble'

$ cd /home/bluesman/humble_venv/ $ source /home/bluesman/humble_venv/bin/activate $ cd humble

Updating (weekly): activate the virtual environment and from 'humble' folder

$ git pull

Updating (Release): activate the virtual environment, download the latest source code file

and decompress it in the 'humble' folder, overwriting files.

https://github.com/rfc-st/humble/releases

Installation & maintenance (Docker)

Note

Python 3.9 will be used to build the image.

Install Docker, and make sure it's running:

E.g. (Linux): https://www.kali.org/docs/containers/installing-docker-on-kali/

E.g. (macOs): https://docs.docker.com/desktop/install/mac-install/

E.g. (Windows): https://docs.docker.com/desktop/install/windows-install/

Clone the repository or download & decompress the latest release:

$ git clone https://github.com/rfc-st/humble.git https://github.com/rfc-st/humble/releases

Build the image inside the 'humble' folder: providing the TAG as the latest Release of 'humble' (e.g. 1.48).

https://github.com/rfc-st/humble/releases (Windows may require elevated console privileges)

$ docker build -t humble:1.48 .

Run the analysis specifying the above TAG, along with the specific options for 'humble':

'-it', required: allocate a pseudo-TTY and keep the input interactive.

'-rm', required: automatically remove the container and associated anonymous volumes when it exits.

(Linux/macOS)

E.g. Analyze https://facebook with a brief analysis:

$ docker run -it --rm --name humble humble:1.48 /bin/bash -c "python3 humble.py -u https://facebook.com -b"

(Windows)

E.g. Analyze https://facebook with a brief analysis:

$ docker run -it --rm --name humble humble:1.48 python3 humble.py -u https://facebook.com -b

Removing (and untagging) previous images of 'humble' after upgrading to the latest release.

$ docker rmi humble:1.48

Installation & update (Kali Linux)

Note

Python 3.9 or higher is required.

Verify that the 'humble' package contains 'Homepage: https://github.com/rfc-st/humble'

$ apt show humble

Install it and grant permissions (e.g. to enable analysis history and export analysis)

$ sudo apt install humble $ sudo chmod -R a+rwx /usr/share/humble

Analyze! :)

$ cd /usr/share/humble $ python3 humble.py -u https://google.com

Updating (monthly):

$ sudo apt update $ sudo apt install --only-upgrade humble

Usage

(Windows) $ py humble.py (Linux) $ python3 humble.py (macOS) $ python3 humble.py

usage: humble.py [-h] [-a] [-b] [-c] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-grd] [-if INPUT_FILE] [-l {es}] [-lic] [-o {csv,html,json,pdf,txt,xml}] [-of OUTPUT_FILE] [-op OUTPUT_PATH] [-r] [-s [SKIP_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]

'humble' (HTTP Headers Analyzer) | https://github.com/rfc-st/humble | v.2025-03-28

options: -h, --help show this help message and exit -a Shows statistics of the performed analysis; if the '-u' parameter is ommited they will be global -b Shows overall findings; if omitted detailed ones will be shown -c Checks URL response HTTP headers for compliance with OWASP 'Secure Headers Project' best practices -df Do not follow redirects; if omitted the last redirection will be the one analyzed -e [TESTSSL_PATH] Shows only TLS/SSL checks; requires the PATH of testssl (https://testssl.sh/) -f [FINGERPRINT_TERM] Shows fingerprint statistics; if 'FINGERPRINT_TERM' (e.g., 'Google') is omitted the top 20 results will be shown -g Shows guidelines for enabling security HTTP response headers on popular frameworks, servers and services -grd Shows the checks to grade an analysis, along with advice for improvement -if INPUT_FILE Analyzes 'INPUT_FILE': must contain HTTP response headers and values separated by ': '; E.g. 'server: nginx' -l {es} Defines the language for displaying analysis, errors and messages; if omitted, will be shown in English -lic Shows the license for 'humble', along with permissions, limitations and conditions. -o {csv,html,json,pdf,txt,xml} Exports analysis to 'humble_scheme_URL_port_yyyymmdd_hhmmss_language.ext' file; json will have a brief analysis -of OUTPUT_FILE Exports analysis to 'OUTPUT_FILE'; if omitted the default filename of the parameter '-o' will be used -op OUTPUT_PATH Exports analysis to 'OUTPUT_PATH'; must be absolute. If omitted the PATH of 'humble.py' will be used -r Shows HTTP response headers and a detailed analysis; '-b' parameter will take priority -s [SKIP_HEADERS ...] Skips 'deprecated/insecure' and 'missing' checks for the indicated 'SKIP_HEADERS' (separated by spaces) -u URL Scheme, host and port to analyze. E.g. https://google.com -ua USER_AGENT User-Agent ID from 'additional/user_agents.txt' file to use. '0' will show all and '1' is the default -v, --version Checks for updates at https://github.com/rfc-st/humble

examples: -u URL -a Shows statistics of the analysis performed against the URL -u URL -b Analyzes URL and reports overall findings -u URL -b -o csv Analyzes URL and exports overall findings to CSV format -u URL -l es Analyzes URL and reports (in Spanish) detailed findings -u URL -o pdf Analyzes URL and exports detailed findings to PDF format -u URL -o html -of test Analyzes URL and exports detailed findings to HTML format and 'test' filename -u URL -o pdf -op D:/Tests Analyzes URL and exports detailed findings to PDF format and 'D:/Tests' path -u URL -r Analyzes URL and reports detailed findings along with HTTP response headers -u URL -s ETag NEL Analyzes URL and skips 'deprecated/insecure' and 'missing' checks for 'ETag' and 'NEL' headers -u URL -ua 4 Analyzes URL using the fourth User-Agent of 'additional/user_agents.txt' file -a -l es Shows statistics (in Spanish) of the analysis performed against all URLs -f Google Shows HTTP fingerprint headers related to the term 'Google'

want to contribute?: How to https://github.com/rfc-st/humble/#contribute

Advanced usage (Linux)

.: Show only the analysis summary. 

$ python3 humble.py -u https://www.spacex.com | grep -A 8 "\!." | sed $'1i \n'

Show only the analysis summary (Linux)

.: Show only the URL, date and analysis summary. 

$ python3 humble.py -u https://www.spacex.com | grep -A8 -E "0. Info|\!." | grep -v "^\[1\." | sed 's/[--]//g' | sed -e '/./b' -e :n -e 'N;s/\n$//;tn' | sed '5,6d' | sed '1i\'

Show URL, date and the analysis summary (Linux)

.: Show only the deprecated headers/protocols and insecure values. 

$ python3 humble.py -u https://www.spacex.com | sed -n '/\[4/,/^\[5/ { /^\[5/!p }' | sed '$d' | sed $'1i \n'

Show only the deprecated headers/protocols and insecure values (Linux)

.: Check for HTTP client errors (4XX). 

$ python3 humble.py -u https://my.prelude.software/demo/index.pl | grep -A1 -B5 'Note : \|Nota : ' --color=never

Check for HTTP client errors (4XX) (Linux)

.: Analyze multiple URLs and save the results as PDFs; thanks Eduardo for this example!. 

$ datasets=('https://facebook.com' 'https://github.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done

Analyze multiple URLs and save the results as PDFs

Checks: enabled headers

Check this file.

Checks: missing headers

Check this file.

Checks: fingerprint headers

Check this file.

Checks: deprecated headers/protocols and insecure values

Check this file.

Note

humble tries to be strict: both in checking HTTP response headers and their values; some of these headers may be experimental and you may not agree with all the results after analysis.

And that's OK! 😃; you should never blindly trust the results of security tools: there should be further work to decide whether the risk is non-existent, potential or real depending on the analyzed URL (its exposure, environment, etc).

Checks: empty values

Any HTTP response header.

Guidelines included to enable security HTTP headers

To-Do

Further reading

Contribute

Thanks for downloading 'humble', for trying it and for your time!.

Acknowledgements

License

MIT © 2020-2025 Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)
Original Creator - Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)