A Python-based security auditing tool to analyze website security headers.
Project description
🛡️ SecHead
SecHead is a lightweight, powerful cybersecurity tool designed to audit website security headers. It helps penetration testers, developers, and security researchers identify missing or misconfigured HTTP headers that leave applications vulnerable to attacks like XSS, Clickjacking, and MIME sniffing.
Unlike simple scanners, SecHead provides context-aware analysis, explaining why a configuration is dangerous and offering best-practice remediation.
✨ Key Features
- 🛡️ Deep Header Analysis: Audits critical headers including
CSP,HSTS,X-Frame-Options,X-Content-Type-Options,Referrer-Policy, andPermissions-Policy. - 🖱️ Clickjacking PoC: Automatically detects if a site is vulnerable to Clickjacking and generates a live Proof-of-Concept iframe in the HTML report.
- 📊 Smart Reporting: Generates a beautiful, dark-mode compatible HTML Report containing raw traffic, compliance scores, and remediation guides.
- 🧬 Technology Fingerprinting: Passive detection of server technologies (e.g., IIS, Nginx, PHP, ASP.NET) based on response signatures.
- ⚡ Zero-Config: Works out of the box with a simple CLI command.
🚀 Installation
You can install SecHead directly from PyPI:
pip install SecHead
Alternatively, you can clone the repository and install it manually:
git clone https://github.com/h4rithd/SecHead.git
cd SecHead
pip install .
🛠️ Usage
- Quick Scan (Terminal Output) Run a scan against a target URL. The results will be displayed directly in your terminal with color-coded alerts.
SecHead -u https://example.com
- Generate HTML Report Save the detailed analysis to an HTML file. This report is perfect for attaching to penetration testing deliverables.
SecHead -u https://example.com -o report.html
📊 Sample Output
Terminal View
🔎 Analysis for: https://example.com
📡 Status Code: 200
🛡️ SECURITY HEADERS ANALYSIS
------------------------------------------------------------
❌ Strict-Transport-Security : MISSING
ℹ️ Forces the browser to communicate only via HTTPS.
💡 Best Practice: max-age=63072000; includeSubDomains; preload
⚠️ Issue: Header is missing entirely.
✅ X-Content-Type-Options : OK
ℹ️ Prevents the browser from 'sniffing' the response type.
💡 Best Practice: nosniff
....
HTML Report Preview
- The generated HTML report includes:
- Executive Summary: Pass/Fail status for all headers.
- Vulnerability Proof: A working iframe demonstrating Clickjacking risks (if applicable).
- Raw Data: Full HTTP request and response logs.
- Remediation: Copy-pasteable best practices for developers.
⚠️ Disclaimer
This tool is designed for educational and ethical security testing purposes only. Do not use this tool on websites or systems you do not own or do not have explicit permission to test. The author is not responsible for any misuse or damage caused by this program.
📄 License
This project is licensed under the MIT License.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sechead-1.2.0.tar.gz.
File metadata
- Download URL: sechead-1.2.0.tar.gz
- Upload date:
- Size: 9.4 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
68b438918ee33e7200c5c6a1d49cb87027330933511dcaef4a2c3cec3a363b57
|
|
| MD5 |
e8097412ddd4b70361a65b3580b8a434
|
|
| BLAKE2b-256 |
56a1e5a0d8ba89d3dbd184c9db6c441bca1dba65dc6817c6bd947bfded64e26b
|
Provenance
The following attestation bundles were made for sechead-1.2.0.tar.gz:
Publisher:
publish.yml on h4rithd/SecHead
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sechead-1.2.0.tar.gz -
Subject digest:
68b438918ee33e7200c5c6a1d49cb87027330933511dcaef4a2c3cec3a363b57 - Sigstore transparency entry: 907525266
- Sigstore integration time:
-
Permalink:
h4rithd/SecHead@6fa349a154b236cf4e7a9c856c7ee88bd154c742 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/h4rithd
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6fa349a154b236cf4e7a9c856c7ee88bd154c742 -
Trigger Event:
release
-
Statement type:
File details
Details for the file sechead-1.2.0-py3-none-any.whl.
File metadata
- Download URL: sechead-1.2.0-py3-none-any.whl
- Upload date:
- Size: 10.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
8153a0a6ae8f04e657e842287bb77fcafdc5a3e6a85c72bbc0323f431ccba909
|
|
| MD5 |
c8722fd4c25f05fbd626bffe4db1c827
|
|
| BLAKE2b-256 |
88d1cb1185ee5e92fdaac83d3513410291c23718853cffe22d21281976703e1a
|
Provenance
The following attestation bundles were made for sechead-1.2.0-py3-none-any.whl:
Publisher:
publish.yml on h4rithd/SecHead
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sechead-1.2.0-py3-none-any.whl -
Subject digest:
8153a0a6ae8f04e657e842287bb77fcafdc5a3e6a85c72bbc0323f431ccba909 - Sigstore transparency entry: 907525268
- Sigstore integration time:
-
Permalink:
h4rithd/SecHead@6fa349a154b236cf4e7a9c856c7ee88bd154c742 -
Branch / Tag:
refs/tags/v1.2.0 - Owner: https://github.com/h4rithd
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@6fa349a154b236cf4e7a9c856c7ee88bd154c742 -
Trigger Event:
release
-
Statement type: