http-header-check
http-header-check http-header-check is the CLI auditor that scans URLs for security headers like CSP or HSTS, scoring compliance and suggesting fixes for hardening web configs in automated scans. Run it via Python on targets for JSON outputs, integrating into CI for baseline verifications. Open-source from funilrys, it's the header health-checker for devs templating secure configs without manual audits.
Explore →nuclei-http-headers
nuclei-http-headers nuclei-http-headers leverages Nuclei's YAML templates to fuzz and validate security headers, detecting missing X-Frame-Options or weak CSP in bulk scans with custom rule packs. Clone templates, run via Go CLI on scopes for prioritized alerts on misconfigs. Open-source from projectdiscovery, it's the template tamer for pentesters probing header gaps systematically.
Explore →security-headers-check
security-headers-check security-headers-check is the simple Python script that fetches and rates HTTP response headers against OWASP best practices, flagging risks like absent HSTS or strict-transport-security. Point it at sites via CLI for graded reports, scripting for batch evaluations in your toolkit. Open-source from scanner-research, it's the scorekeeper for analysts grading web defenses header by header.
Explore →zap-security-headers
zap-security-headers zap-security-headers is the OWASP ZAP add-on that passively scans for insecure headers during proxy sessions, alerting on weak configs like missing X-Content-Type-Options in real-time. Install via ZAP marketplace, proxy traffic, and review rules for custom thresholds. Open-source from zaproxy, it's the passive patroller for web pentesters monitoring header hygiene inline.
Explore →http-header-analyzer
http-header-analyzer http-header-analyzer is the Node.js tool for dissecting response headers, extracting and validating security ones like Referrer-Policy with scoring for compliance audits. Run via npm on URLs for detailed breakdowns, exporting to JSON for reports. Open-source from community, it's the header historian for devs chronicling configs in security reviews.
Explore →testssl.sh
testssl.sh testssl.sh is the bash script for comprehensive TLS/SSL header testing, probing HSTS, HPKP, and ciphers to grade endpoint security with color-coded outputs for quick fixes. Clone and run on hosts for full reports, scripting options for batch scans in CI. Open-source from drwetter, it's the SSL scrutinizer for pentesters templating header and protocol checks.
Explore →header-checker
header-checker header-checker is the Go CLI for validating HTTP security headers against a ruleset, flagging absent Permissions-Policy or weak Feature-Policy in automated web audits. Configure via YAML, scan targets for pass/fail verdicts with remediation tips. Open-source from PortSwigger, it's the rule referee for analysts enforcing header standards programmatically.
Explore →securityheaders
securityheaders securityheaders is the Python lib for parsing and scoring HTTP headers, detecting CSP nonce issues or HSTS preload eligibility with detailed compliance breakdowns. Integrate into scripts for custom thresholds, outputting metrics for dashboards. Open-source from upstract, it's the header harmonizer for security pros tuning configs to spec.
Explore →http-security-headers
http-security-headers http-security-headers is the Node.js module for analyzing response headers, checking for secure flags like Secure and HttpOnly in cookies alongside CSP enforcement. Use in Express middleware for runtime audits or CLI for static checks on captures. Open-source from community, it's the cookie cop for web devs validating headers in app layers.
Explore →zap-header-rules