Skip to main content

A Python-based security auditing tool to analyze website security headers.

Project description

🛡️ SecHead

PyPI version License: MIT Python 3.6+

SecHead is a lightweight, powerful cybersecurity tool designed to audit website security headers. It helps penetration testers, developers, and security researchers identify missing or misconfigured HTTP headers that leave applications vulnerable to attacks like XSS, Clickjacking, and MIME sniffing.

Unlike simple scanners, SecHead provides context-aware analysis, explaining why a configuration is dangerous and offering best-practice remediation.


✨ Key Features

  • 🛡️ Deep Header Analysis: Audits critical headers including CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
  • 🖱️ Clickjacking PoC: Automatically detects if a site is vulnerable to Clickjacking and generates a live Proof-of-Concept iframe in the HTML report.
  • 📊 Smart Reporting: Generates a beautiful, dark-mode compatible HTML Report containing raw traffic, compliance scores, and remediation guides.
  • 🧬 Technology Fingerprinting: Passive detection of server technologies (e.g., IIS, Nginx, PHP, ASP.NET) based on response signatures.
  • ⚡ Zero-Config: Works out of the box with a simple CLI command.

🚀 Installation

You can install SecHead directly from PyPI:

pip install SecHead

Alternatively, you can clone the repository and install it manually:

git clone https://github.com/h4rithd/SecHead.git
cd SecHead
pip install .

🛠️ Usage

  1. Quick Scan (Terminal Output) Run a scan against a target URL. The results will be displayed directly in your terminal with color-coded alerts.
SecHead -u https://example.com
  1. Generate HTML Report Save the detailed analysis to an HTML file. This report is perfect for attaching to penetration testing deliverables.
SecHead -u https://example.com -o report.html

📊 Sample Output

Terminal View

🔎  Analysis for: https://example.com
📡  Status Code: 200

🛡️   SECURITY HEADERS ANALYSIS
------------------------------------------------------------
❌  Strict-Transport-Security : MISSING
    ℹ️  Forces the browser to communicate only via HTTPS.
    💡 Best Practice: max-age=63072000; includeSubDomains; preload
    ⚠️  Issue: Header is missing entirely.

✅  X-Content-Type-Options    : OK
    ℹ️  Prevents the browser from 'sniffing' the response type.
    💡 Best Practice: nosniff
    ....

HTML Report Preview

  • The generated HTML report includes:
  • Executive Summary: Pass/Fail status for all headers.
  • Vulnerability Proof: A working iframe demonstrating Clickjacking risks (if applicable).
  • Raw Data: Full HTTP request and response logs.
  • Remediation: Copy-pasteable best practices for developers.

⚠️ Disclaimer

This tool is designed for educational and ethical security testing purposes only. Do not use this tool on websites or systems you do not own or do not have explicit permission to test. The author is not responsible for any misuse or damage caused by this program.

📄 License

This project is licensed under the MIT License.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sechead-1.2.0.tar.gz (9.4 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sechead-1.2.0-py3-none-any.whl (10.0 kB view details)

Uploaded Python 3

File details

Details for the file sechead-1.2.0.tar.gz.

File metadata

  • Download URL: sechead-1.2.0.tar.gz
  • Upload date:
  • Size: 9.4 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for sechead-1.2.0.tar.gz
Algorithm Hash digest
SHA256 68b438918ee33e7200c5c6a1d49cb87027330933511dcaef4a2c3cec3a363b57
MD5 e8097412ddd4b70361a65b3580b8a434
BLAKE2b-256 56a1e5a0d8ba89d3dbd184c9db6c441bca1dba65dc6817c6bd947bfded64e26b

See more details on using hashes here.

Provenance

The following attestation bundles were made for sechead-1.2.0.tar.gz:

Publisher: publish.yml on h4rithd/SecHead

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sechead-1.2.0-py3-none-any.whl.

File metadata

  • Download URL: sechead-1.2.0-py3-none-any.whl
  • Upload date:
  • Size: 10.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for sechead-1.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 8153a0a6ae8f04e657e842287bb77fcafdc5a3e6a85c72bbc0323f431ccba909
MD5 c8722fd4c25f05fbd626bffe4db1c827
BLAKE2b-256 88d1cb1185ee5e92fdaac83d3513410291c23718853cffe22d21281976703e1a

See more details on using hashes here.

Provenance

The following attestation bundles were made for sechead-1.2.0-py3-none-any.whl:

Publisher: publish.yml on h4rithd/SecHead

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page