Audit your HTTP response headers for misconfigurations and enforce custom security rules!
Project description
DrHeaderPlus
There are a number of HTTP headers which enhance the security of a website when used. Often ignored, or unknown, these HTTP security headers help prevent common web application vulnerabilities when used.
DrHeaderPlus helps with the audit of security headers received in response to a single request or a list of requests.
When combined with the OWASP Application Security Verification Standard (ASVS) 4.0, it is a useful tool to include as part of an automated CI/CD pipeline which checks for missing HTTP headers.
DrHeaderPlus is a modernized fork of the original drHEADer project by Santander UK Security Engineering.
Installation
Requires Python 3.12+. Install from PyPI:
pip install drheaderplus
How Do I Use It?
There are two ways you could use DrHeaderPlus, depending on what you want to achieve. The easiest way is using the CLI.
CLI
For details on using the CLI, see CLI.md
In a Project
It is also possible to call DrHeaderPlus from within an existing project, and this is achieved like so:
from drheader import Drheader
scanner = Drheader(headers={'X-XSS-Protection': '1; mode=block'})
report = scanner.analyze()
Customize HTTP request
By default, the tool uses HEAD method when making a request, but you can change that by supplying the method argument like this:
from drheader import Drheader
scanner = Drheader(url='https://example.com', method='POST')
Other requests arguments
You can use any other arguments that are supported by requests to customise the HTTP request:
from drheader import Drheader
scanner = Drheader(url='https://example.com', headers={'X-API-Key': '726204fe-8a3a-4478-ae8f-4fb216a8c4ba'})
from drheader import Drheader
scanner = Drheader(url='https://example.com', verify=False)
Cross-Origin Isolation
The default rules in DrHeaderPlus support cross-origin isolation via the Cross-Origin-Embedder-Policy and
Cross-Origin-Opener-Policy headers. Due to the potential for this to break websites that have not yet properly
configured their sub-resources for cross-origin isolation, these validations are opt-in at analysis time. If you want to
enforce these cross-origin isolation validations, you must pass the cross_origin_isolated flag.
In a project:
from drheader import Drheader
scanner = Drheader(url='https://example.com')
scanner.analyze(cross_origin_isolated=True)
How Do I Customise DrHeaderPlus Rules?
DrHeaderPlus relies on a yaml file that defines the policy it will use when auditing security headers. The file is located at ./drheader/resources/rules.yml, and you can customise it to fit your particular needs. Please follow this link if you want to know more.
Notes
- On ubuntu systems you may need to install libyaml-dev to avoid errors related to a missing yaml.h.
Who Is Behind It?
DrHeaderPlus is maintained by @garootman.
The original drHEADer was developed by the Santander UK Security Engineering team:
- David Albone
- Javier Dominguez Ruiz
- Fernando Cabrerizo
- James Morris
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file drheaderplus-3.0.1a1.tar.gz.
File metadata
- Download URL: drheaderplus-3.0.1a1.tar.gz
- Upload date:
- Size: 1.8 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.2 {"installer":{"name":"uv","version":"0.10.2","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d6ff0ba2d28e70dff2ded3dc899df343b88b2716aef5a561c17276e2132aa2e2
|
|
| MD5 |
1cc6d4ec1c56d530706f1d9a47a74b46
|
|
| BLAKE2b-256 |
1eedb0ecbdbc3ce763a3d504490793408818bc3f09ba29fb55fde2452aba25f8
|
File details
Details for the file drheaderplus-3.0.1a1-py3-none-any.whl.
File metadata
- Download URL: drheaderplus-3.0.1a1-py3-none-any.whl
- Upload date:
- Size: 19.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: uv/0.10.2 {"installer":{"name":"uv","version":"0.10.2","subcommand":["publish"]},"python":null,"implementation":{"name":null,"version":null},"distro":{"name":"Ubuntu","version":"24.04","id":"noble","libc":null},"system":{"name":null,"release":null},"cpu":null,"openssl_version":null,"setuptools_version":null,"rustc_version":null,"ci":true}
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
6c0101fd52c20431ac3316cc27658a6586081fc53da14c6ec91d6ff68c8949f3
|
|
| MD5 |
3bde200890575bb250db6ac47c230b32
|
|
| BLAKE2b-256 |
897209e5802ee4d3325b10c1779cc11d2ab4f5feb42f2dd3fbd72bf1ff837448
|
