HTTP Observatory: a command line tool to scan your website
This repository is for the HTTP Observatory command line utility. If you’re looking for the code for the HTTP Observatory itself, it can be found here.
Getting started with the HTTP Observatory
First, install the client:
$ pip install httpobs-cli
And then scan websites to your heart’s content, using our hosted service:
$ httpobs www.mozilla.org Score: 30 [E] Modifiers: [ -5] Initial redirection from http to https is to a different host, preventing HSTS [ -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https [ -5] X-Content-Type-Options header not implemented [ -10] X-XSS-Protection header not implemented [ -20] HTTP Strict Transport Security (HSTS) header not implemented [ -25] Content Security Policy (CSP) header not implemented $ httpobs www.google.com Score: 35 [D-] Modifiers: [ +5] Preloaded via the HTTP Public Key Pinning (HPKP) preloading process [ -5] X-Content-Type-Options header not implemented [ -20] Cookies set without using the Secure flag or set over http [ -20] HTTP Strict Transport Security (HSTS) header not implemented [ -25] Content Security Policy (CSP) header not implemented $ httpobs --zero github.com Score: 120 [A+] Modifiers: [ +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000) [ +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process [ +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin [ +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive [ 0] All cookies use the Secure flag and all session cookies use the HttpOnly flag [ 0] Content Security Policy (CSP) implemented with 'unsafe-inline' inside style-src [ 0] Content is not visible via cross-origin resource sharing (CORS) files or headers [ 0] Contribute.json isn't required on websites that don't belong to Mozilla [ 0] Initial redirection is to https on same host, final destination is https [ 0] X-Content-Type-Options header set to "nosniff" [ 0] X-XSS-Protection header set to "1; mode=block"
If you want additional options, such as to see the raw scan output, use httpobs --help:
$ httpobs --help usage: httpobs [options] host positional arguments: host hostname of the website to scan optional arguments: -h, --help show this help message and exit -d, --debug output only raw JSON from scan and tests -r, --rescan initiate a rescan instead of showing recent scan results -v, --verbose display progress indicator -x, --hidden don't list scan in the recent scan results -z, --zero show test results that don't affect the final score
- Mozilla Public License Version 2.0