February 16, 2017 · website tools OSINT

securityheaders.io

I'm sure others have seen this site before, but in the event that some have not, I figured I would give it its own shoutout.

securityheaders.io is a creation from Scott Helme that allows you to analyze any website for certain security-related information that are included in the HTTP/S response header. This information can be used to secure your own site, as well as gain information about others that may be in scope for a penetration test.

The tool checks for the following:

  • HTTP
    • Content-Security-Policy
      • A header that defines approved sources of content that the browser may load. This can help prevent XSS attacks.
    • X-Content-Type-Options
      • A header is used to protect against MIME sniffing vulnerabilities.
    • X-Frame-Options
      • A header that helps to protect your visitors against clickjacking attacks.
    • X-XSS-Protection
      • A header designed to enable the cross-site scripting (XSS) filter built into modern web browsers. This is usually enabled by default, but using it will enforce it.

  • HTTPS
    • Strict-Transport-Security
      • A header will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.
    • Public-Key-Pins
      • A header that associates a specific cryptographic public key with a certain web server to decrease the risk of MITM attacks with forged certificates.


        Additionally it checks for the server software and what may be powering the website. For example. Apache & PHP.

I've added most of these to this site, though I still need to fine tune it a bit.

Depending on your server software, you will be editing a different file, but the value will remain the same. If you're running nginx software, you'll need to add these to nginx.conf in /etc/nginx. For apache, you'll add them to httpd.conf in /etc/httpd/httpd.conf. Each value has different options, so you'll need to do some research yourself to determine what is best for your website.