[](https://GitHub.com/Santandersecurityresearch/DrHeader/releases/)
[](https://GitHub.com/Santandersecurityresearch/DrHeader/releases/)
[](https://hits.dwyl.com/Santandersecurityresearch/DrHeader)
[](https://opensource.org/licenses/MIT)
# Welcome to drHEADer
There are a number of HTTP headers which enhance the security of a website when used. Often ignored, or unknown, these HTTP security headers help prevent common web application vulnerabilities when used.
drHEADer helps with the audit of security headers received in response to a single request or a list of requests.
When combined with the OWASP [Application Security Verification Standard](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md) (ASVS) 4.0, it is a useful tool to include as part of an automated CI/CD pipeline which checks for missing HTTP headers.
## How Do I Install It?
drHEADer requires at least Python 3.8 to run. The easiest way to install drHEADer is to clone this repository and via a
terminal window, run the following command:
```sh
$ python3 setup.py install --user
```
This will install all the pre-requisites and you'll end up with a drHEADer executable.
## How Do I Use It?
There are two ways you could use drHEADer, depending on what you want to achieve. The easiest way is using the CLI.
### CLI
For details on using the CLI, see [CLI.md](CLI.md)
### In a Project
It is also possible to call drHEADer from within an existing project, and this is achieved like so:
```python
from drheader import Drheader
scanner = Drheader(headers={'X-XSS-Protection': '1; mode=block'})
report = scanner.analyze()
```
#### Customize HTTP request
By default, the tool uses **HEAD** method when making a request, but you can change that by supplying the `method` argument like this:
```python
from drheader import Drheader
scanner = Drheader(url='https://example.com', method='POST')
```
##### Other `requests` arguments
You can use any other arguments that are supported by `requests` to customise the HTTP request:
```python
from drheader import Drheader
scanner = Drheader(url='https://example.com', headers={'X-API-Key': '726204fe-8a3a-4478-ae8f-4fb216a8c4ba'})
```
```python
from drheader import Drheader
scanner = Drheader(url='https://example.com', verify=False)
```
#### Cross-Origin Isolation
The default rules in drHEADer support cross-origin isolation via the `Cross-Origin-Embedder-Policy` and
`Cross-Origin-Opener-Policy` headers. Due to the potential for this to break websites that have not yet properly
configured their sub-resources for cross-origin isolation, these validations are opt-in at analysis time. If you want to
enforce these cross-origin isolation validations, you must pass the `cross_origin_isolated` flag.
In a project:
```python
from drheader import Drheader
scanner = Drheader(url='https://example.com')
scanner.analyze(cross_origin_isolated=True)
```
## How Do I Customise drHEADer Rules?
drHEADer relies on a yaml file that defines the policy it will use when auditing security headers. The file is located at `./drheader/resources/rules.yml`, and you can customise it to fit your particular needs. Please follow this [link](RULES.md) if you want to know more.
## Notes
* On ubuntu systems you may need to install libyaml-dev to avoid errors related to a missing yaml.h.
### Roadmap
We have a lot of ideas for drHEADer, and will push often as a result. Some of the things you'll see shortly are:
* Building on the Python library to make it easier to embed in your own projects.
* Releasing the API, which is separate from the core library - the API allows you to hit URLs or endpoints at scale
* Better integration into MiTM proxies.
## Who Is Behind It?
drHEADer was developed by the Santander UK Security Engineering team, who are:
* David Albone
* [Javier DomÃnguez Ruiz](https://github.com/javixeneize)
* Fernando Cabrerizo
* [James Morris](https://github.com/actuallyjamez)
Raw data
{
"_id": null,
"home_page": "https://github.com/santandersecurityresearch/drheader",
"name": "drheader",
"maintainer": "",
"docs_url": null,
"requires_python": "",
"maintainer_email": "",
"keywords": "drheader",
"author": "Santander UK Security Engineering",
"author_email": "",
"download_url": "https://files.pythonhosted.org/packages/a5/e6/0f407efaebe98cf4c4b431288c2e79e4fbec03749f1ec7dd0c66bfeba594/drheader-2.0.0.tar.gz",
"platform": null,
"description": "[](https://GitHub.com/Santandersecurityresearch/DrHeader/releases/)\n[](https://GitHub.com/Santandersecurityresearch/DrHeader/releases/)\n[](https://hits.dwyl.com/Santandersecurityresearch/DrHeader)\n[](https://opensource.org/licenses/MIT)\n\n\n# Welcome to drHEADer\n\nThere are a number of HTTP headers which enhance the security of a website when used. Often ignored, or unknown, these HTTP security headers help prevent common web application vulnerabilities when used.\n\ndrHEADer helps with the audit of security headers received in response to a single request or a list of requests.\n\nWhen combined with the OWASP [Application Security Verification Standard](https://github.com/OWASP/ASVS/blob/master/4.0/en/0x22-V14-Config.md) (ASVS) 4.0, it is a useful tool to include as part of an automated CI/CD pipeline which checks for missing HTTP headers.\n\n## How Do I Install It?\ndrHEADer requires at least Python 3.8 to run. The easiest way to install drHEADer is to clone this repository and via a\nterminal window, run the following command:\n\n```sh\n$ python3 setup.py install --user\n```\n\nThis will install all the pre-requisites and you'll end up with a drHEADer executable.\n\n## How Do I Use It?\nThere are two ways you could use drHEADer, depending on what you want to achieve. The easiest way is using the CLI.\n\n### CLI\nFor details on using the CLI, see [CLI.md](CLI.md)\n\n### In a Project\nIt is also possible to call drHEADer from within an existing project, and this is achieved like so:\n\n```python\nfrom drheader import Drheader\n\nscanner = Drheader(headers={'X-XSS-Protection': '1; mode=block'})\n\nreport = scanner.analyze()\n```\n\n#### Customize HTTP request\nBy default, the tool uses **HEAD** method when making a request, but you can change that by supplying the `method` argument like this:\n\n```python\nfrom drheader import Drheader\n\nscanner = Drheader(url='https://example.com', method='POST')\n```\n\n##### Other `requests` arguments\nYou can use any other arguments that are supported by `requests` to customise the HTTP request:\n\n```python\nfrom drheader import Drheader\n\nscanner = Drheader(url='https://example.com', headers={'X-API-Key': '726204fe-8a3a-4478-ae8f-4fb216a8c4ba'})\n```\n\n```python\nfrom drheader import Drheader\n\nscanner = Drheader(url='https://example.com', verify=False)\n```\n\n#### Cross-Origin Isolation\nThe default rules in drHEADer support cross-origin isolation via the `Cross-Origin-Embedder-Policy` and\n`Cross-Origin-Opener-Policy` headers. Due to the potential for this to break websites that have not yet properly\nconfigured their sub-resources for cross-origin isolation, these validations are opt-in at analysis time. If you want to\nenforce these cross-origin isolation validations, you must pass the `cross_origin_isolated` flag.\n\nIn a project:\n```python\nfrom drheader import Drheader\n\nscanner = Drheader(url='https://example.com')\nscanner.analyze(cross_origin_isolated=True)\n```\n\n## How Do I Customise drHEADer Rules?\n\ndrHEADer relies on a yaml file that defines the policy it will use when auditing security headers. The file is located at `./drheader/resources/rules.yml`, and you can customise it to fit your particular needs. Please follow this [link](RULES.md) if you want to know more.\n\n## Notes\n\n* On ubuntu systems you may need to install libyaml-dev to avoid errors related to a missing yaml.h.\n\n### Roadmap\n\nWe have a lot of ideas for drHEADer, and will push often as a result. Some of the things you'll see shortly are:\n\n* Building on the Python library to make it easier to embed in your own projects.\n* Releasing the API, which is separate from the core library - the API allows you to hit URLs or endpoints at scale\n* Better integration into MiTM proxies.\n\n## Who Is Behind It?\n\ndrHEADer was developed by the Santander UK Security Engineering team, who are:\n\n* David Albone\n* [Javier Dom\u00ednguez Ruiz](https://github.com/javixeneize)\n* Fernando Cabrerizo\n* [James Morris](https://github.com/actuallyjamez)\n",
"bugtrack_url": null,
"license": "",
"summary": "DrHEADer helps with the audit of security headers received in response to a single request or a list of requests.",
"version": "2.0.0",
"project_urls": {
"Homepage": "https://github.com/santandersecurityresearch/drheader"
},
"split_keywords": [
"drheader"
],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "12f0ba68626f35de680dd52374510a6a3df8ce6c524f5bb5d51c5fbfdda91f2c",
"md5": "1b712686690a9c4935273dccefcc6df1",
"sha256": "3e48fb1063a0dbdb7216de961e11d6bcb99822ed567960c5623c9fa9f43a9397"
},
"downloads": -1,
"filename": "drheader-2.0.0-py2.py3-none-any.whl",
"has_sig": false,
"md5_digest": "1b712686690a9c4935273dccefcc6df1",
"packagetype": "bdist_wheel",
"python_version": "py2.py3",
"requires_python": null,
"size": 19794,
"upload_time": "2023-10-31T14:37:28",
"upload_time_iso_8601": "2023-10-31T14:37:28.980037Z",
"url": "https://files.pythonhosted.org/packages/12/f0/ba68626f35de680dd52374510a6a3df8ce6c524f5bb5d51c5fbfdda91f2c/drheader-2.0.0-py2.py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "a5e60f407efaebe98cf4c4b431288c2e79e4fbec03749f1ec7dd0c66bfeba594",
"md5": "b733e4116806080039abe5155441423d",
"sha256": "291ae019ea389218023c5b4df3ead2840dc0fd326da348b60d2cab9e2ca7039a"
},
"downloads": -1,
"filename": "drheader-2.0.0.tar.gz",
"has_sig": false,
"md5_digest": "b733e4116806080039abe5155441423d",
"packagetype": "sdist",
"python_version": "source",
"requires_python": null,
"size": 35949,
"upload_time": "2023-10-31T14:37:33",
"upload_time_iso_8601": "2023-10-31T14:37:33.872863Z",
"url": "https://files.pythonhosted.org/packages/a5/e6/0f407efaebe98cf4c4b431288c2e79e4fbec03749f1ec7dd0c66bfeba594/drheader-2.0.0.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2023-10-31 14:37:33",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "santandersecurityresearch",
"github_project": "drheader",
"travis_ci": false,
"coveralls": false,
"github_actions": true,
"requirements": [],
"tox": true,
"lcname": "drheader"
}
JSON
