Hello,

Your tool is great, and I would like to use it. However, when storing shcheck's output to a file, the colors are not visible but the color codes instead, which makes it very difficult to read. Most other tools I use have a "-no-color" switch which disables any colors, allowing to store raw output to files. That would be great to have such option.

Additionaly, having a label "[warn]", "[info]", or "[crit]" before each http header when disabling colors would be nice, but not required :-)

I hope you will see the benefits of these feature requests !

Regards,
Guillaume

X-XSS-Protection is pretty much unsupported by any real browser (IIRC Internet Explorer, and maybe Safari) still honour it. And it is best implemented by a content security policy anyway, so can we remove it from the list.

Also X-Permitted-Cross-Domain-Policies, is default secure, if it doesn't exist then Flash/Air will go to a crossdomain.xml. If neither exist then Flash/Air will refuse to work. So it's probably best to be removed from the list too.

https://github.com/meliot/shcheck/blob/master/shcheck.py#L299

json_headers["information_disclosure"][infoh] = headers.get(ifoh) should probably be json_headers["information_disclosure"][infoh] = headers.get(infoh)

Hello,

I see the tools keeps reporting as "warning" the lack of "X-Frame-Options".

This header has been obsoleted by CSP frame-ancestors long time ago and it is currently ignored by most of the browsers. Are we sure we should keep highlighting the lack of this header as a "warning"? I humbly propose you to remove that header check, adding it won't have the desired effect for most modern browsers.

Alternatively, maybe add a condition to highlight the lack of this header if it also lacks the CSP frame-ancestors directive?

Thank you for your tool! Very useful

Can you add a -q, quiet option where the tool checks if headers are present but doesn't show the details?

P.S. Please let me know how I can support this project!

Hi there,

I recommend to update the checked headers according to the following project:
https://owasp.org/www-project-secure-headers/

The following HTTP Response header are deprecated according to this project:

• Expect-CT
• X-XSS-Protection

Best Regards,

Manuel

Hey, this looks pretty useful and I like the output compared to some of the other scripts. What license are you putting this under (MIT?). Thanks

I found a problem with the tool, it seems to be case sensitive. it does not identify when the header is in lowercase letters.

While using the "--hfile=" parameter and in the case that one host is not reachable, the tool will completely stop and not process the rest of the list. It would be great if it would just run through the whole list.
Maybe add a feature that makes the tool stop when something is unreachable.

Thanks in advance!

X-XSS-Protection is not detected by the script

I don't know enough about python (yet) to get it working properly. Would it be possible to have it check for an empty value for X-Powered-By?

======================================================
 > shcheck.py - santoru ..............................
------------------------------------------------------
 Simple tool to check security headers on a webserver
======================================================

[*] Analyzing headers of https://(redacted)
[*] Effective URL: https://(redacted)
[*] Header X-XSS-Protection is present! (Value: 1; mode=block)
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=63072000; includeSubdomains; preload)
[*] Header Content-Security-Policy is present! (Value: default-src 'self'; img-src 'self' *.loc.gov loc.gov data:; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; object-src 'none'; font-src 'self' data:;)
[*] Header Referrer-Policy is present! (Value: same-origin)
[*] Header Expect-CT is present! (Value: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct")
[*] Header Permissions-Policy is present! (Value: : accelerometer=(), ambient-light-sensor=(), autoplay=(), battery=(), camera=(), display-capture(), fullscreen=(self), geolocation=(), gyroscope=(), interest-cohort=(), magnetometer=(), microphone=(), midi=(), payment=(), usb=(), vibrate=(), vr=())
[*] Header Cross-Origin-Embedder-Policy is present! (Value: : require-corp)
[*] Header Cross-Origin-Resource-Policy is present! (Value: : same-site)
[*] Header Cross-Origin-Opener-Policy is present! (Value: : same-origin)
-------------------------------------------------------
[!] Headers analyzed for https://(redacted)
[+] There are 11 security headers
[-] There are not 1 security headers

So, which security header is missing? It looks like a 1 off bug, or it is failing to report which additional security header it thinks is missing.

The Publick-Key-Pins header is reported as missing, but accordingly, to https://owasp.org/www-project-secure-headers/, the header is deprecated and should not use at all.