HTTP Observatory: a set of tests and tools to scan your website for basic web hygeine.
Project description
Mozilla HTTP Observatory - 
The Mozilla HTTP Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.
It is split into three projects:
- http-observatory - scanner/grader
- observatory-cli - command line interface
- http-observatory-website - web interface
Scanning sites with the HTTP Observatory
Sites can be scanned using:
- observatory.mozilla.org - the online interface
- observatory-cli - the official node.js command line interface
- java-http-observatory-api - a third party java library and command line interface
Contributing
Prerequisites
- Python 3.7
- Git
- pip3
Notes
These instructions assume that you have a working Python3.7 development environment with pip3 installed and capable of building requirements, which may require installing an additional python OS package (-dev, -devel).
If this is not appropriate for your environment, you may install the appropriate requirements using your OS package manager (or other means) and skip the pip3 -r requirements command.
Running a scan from the local codebase, without DB, for continuous integration
# Install the HTTP Observatory
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
$ pip3 install --upgrade .
$ pip3 install --upgrade -r requirements.txt
Using the local scanner function calls
>>> from httpobs.scanner.local import scan
>>> scan('observatory.mozilla.org') # a scan with default options
>>> scan('observatory.mozilla.org', # all the custom options
http_port=8080, # http server runs on port 8080
https_port=8443, # https server runs on port 8443
path='/foo/bar', # don't scan /, instead scan /foo/bar
cookies={'foo': 'bar'}, # set the "foo" cookie to "bar"
headers={'X-Foo': 'bar'}, # send an X-Foo: bar HTTP header
verify=False) # treat self-signed certs as valid for tests like HSTS/HPKP
The same, but with the local CLI
$ httpobs-local-scan --http-port 8080 --https-port 8443 --path '/foo/bar' \
--cookies '{"foo": "bar"}' --headers '{"X-Foo": "bar"}' --no-verify mozilla.org
Running a local scanner with Docker
- Install Docker Toolbox and VirtualBox
# Install the HTTP Observatory client and requests library
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
$ pip3 install .
$ pip3 install --upgrade requests
# Create docker machine
$ docker-machine create --driver virtualbox --virtualbox-disk-size "40000" http-observatory
# Save the URL to the API in your .profile, .bash_profile, or whatever
$ echo export HTTPOBS_API_URL=http://$(docker-machine ip http-observatory):57001/api/v1 >> ~/.profile
$ . ~/.profile
# Start up the docker instance and install all the pieces
$ eval $(docker-machine env http-observatory)
$ docker-compose up -d
Creating a local installation (tested on Ubuntu 15)
# Install git, postgresql, and redis
# sudo -s
# apt-get install -y git libpq-dev postgresql redis-server
# Clone the repo
# cd /opt
# git clone https://github.com/mozilla/http-observatory.git
# cd http-observatory
# Install the observatory and scanner
# pip install .
# pip3 install -r requirements.txt
# Install the database
# su - postgres
$ createdb http_observatory
$ psql http_observatory < httpobs/database/schema.sql
$ psql http_observatory
http_observatory=# \password httpobsapi
http_observatory=# \password httpobsscanner
# vi /etc/postgresql/9.4/main/postgresql.conf (set max_connections = 512, shared_buffers = 256MB)
# service postgresql restart
# Create the httpobs user, and log/pid directories
# useradd -m httpobs
# install -m 750 -o httpobs -g httpobs -d /var/run/httpobs /var/log/httpobs
# Update the environmental variables
# su - httpobs
$ echo export HTTPOBS_API_URL="http://localhost:57001/api/v1" >> ~/.profile
# Start the scanner
$ cd /opt/http-observatory
$ HTTPOBS_DATABASE_USER="httpobsscanner" HTTPOBS_DATABASE_PASS="....." \
/opt/http-observatory/httpobs/scripts/httpobs-scan-worker
# Start the API (in another terminal)
# HTTPOBS_DATABASE_USER="httpobsapi" HTTPOBS_DATABASE_PASS="....." \
uwsgi --http :57001 --wsgi-file httpobs/website/main.py --processes 8 --callable app --master
Authors
- April King
License
- Mozilla Public License Version 2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
httpobs-0.9.3.tar.gz
(1.2 MB
view details)
Built Distribution
File details
Details for the file httpobs-0.9.3.tar.gz.
File metadata
- Download URL: httpobs-0.9.3.tar.gz
- Upload date:
- Size: 1.2 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/24.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.9 tqdm/4.38.0 importlib-metadata/4.6.1 keyring/19.2.0 rfc3986/1.4.0 colorama/0.4.3 CPython/3.6.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b1207285e1ac705c07419d9ebd431be02508ac99092d9cafcd97fd3a6be7abfe |
|
| MD5 | c82f6d4ee526f83d923461f4a0da9507 |
|
| BLAKE2b-256 | 125d6ce1553fd1d70c6aa7a3d049a6d0c03e194fe5b943615085df626340ac21 |
File details
Details for the file httpobs-0.9.3-py3-none-any.whl.
File metadata
- Download URL: httpobs-0.9.3-py3-none-any.whl
- Upload date:
- Size: 1.2 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.8.0 pkginfo/1.8.2 readme-renderer/24.0 requests/2.27.1 requests-toolbelt/0.9.1 urllib3/1.26.9 tqdm/4.38.0 importlib-metadata/4.6.1 keyring/19.2.0 rfc3986/1.4.0 colorama/0.4.3 CPython/3.6.9
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 5b1e0afd6bab1fbcd3010a6906c868e302d17bec375724ac8e10e0275f80ffe0 |
|
| MD5 | bdc2772089ab617235c5718c03614062 |
|
| BLAKE2b-256 | d7da126566b17f6fd033f63d65894acb14344281aafdd9aab231ec13c0e1e51d |
