Skip to main content

HTTP Observatory: a set of tests and tools to scan your website for basic web hygeine.

Project description

Mozilla HTTP Observatory - Build Status Requirements Status

The Mozilla HTTP Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.

It is split into three projects:

Scanning sites with the HTTP Observatory

Sites can be scanned using:

Contributing

Prerequisites

  • Python 3.7
  • Git
  • pip3

Notes

These instructions assume that you have a working Python3.7 development environment with pip3 installed and capable of building requirements, which may require installing an additional python OS package (-dev, -devel).

If this is not appropriate for your environment, you may install the appropriate requirements using your OS package manager (or other means) and skip the pip3 -r requirements command.

Running a scan from the local codebase, without DB, for continuous integration

# Install the HTTP Observatory
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
$ pip3 install --upgrade .
$ pip3 install --upgrade -r requirements.txt

Using the local scanner function calls

>>> from httpobs.scanner.local import scan
>>> scan('observatory.mozilla.org')  # a scan with default options
>>> scan('observatory.mozilla.org',  # all the custom options
         http_port=8080,             # http server runs on port 8080
         https_port=8443,            # https server runs on port 8443
         path='/foo/bar',            # don't scan /, instead scan /foo/bar
         cookies={'foo': 'bar'},     # set the "foo" cookie to "bar"
         headers={'X-Foo': 'bar'},   # send an X-Foo: bar HTTP header
         verify=False)               # treat self-signed certs as valid for tests like HSTS/HPKP

The same, but with the local CLI

$ httpobs-local-scan --http-port 8080 --https-port 8443 --path '/foo/bar' \
    --cookies '{"foo": "bar"}' --headers '{"X-Foo": "bar"}' --no-verify mozilla.org

Running a local scanner with Docker

# Install the HTTP Observatory client and requests library
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
$ pip3 install .
$ pip3 install --upgrade requests

# Create docker machine
$ docker-machine create --driver virtualbox --virtualbox-disk-size "40000" http-observatory

# Save the URL to the API in your .profile, .bash_profile, or whatever
$ echo export HTTPOBS_API_URL=http://$(docker-machine ip http-observatory):57001/api/v1 >> ~/.profile
$ . ~/.profile

# Start up the docker instance and install all the pieces
$ eval $(docker-machine env http-observatory)
$ docker-compose up -d

Creating a local installation (tested on Ubuntu 15)

# Install git, postgresql, and redis
# sudo -s
# apt-get install -y git libpq-dev postgresql redis-server

# Clone the repo
# cd /opt
# git clone https://github.com/mozilla/http-observatory.git
# cd http-observatory

# Install the observatory and scanner
# pip install .
# pip3 install -r requirements.txt

# Install the database
# su - postgres
$ createdb http_observatory
$ psql http_observatory < httpobs/database/schema.sql
$ psql http_observatory
http_observatory=# \password httpobsapi
http_observatory=# \password httpobsscanner
# vi /etc/postgresql/9.4/main/postgresql.conf (set max_connections = 512, shared_buffers = 256MB)
# service postgresql restart

# Create the httpobs user, and log/pid directories
# useradd -m httpobs
# install -m 750 -o httpobs -g httpobs -d /var/run/httpobs /var/log/httpobs

# Update the environmental variables
# su - httpobs
$ echo export HTTPOBS_API_URL="http://localhost:57001/api/v1" >> ~/.profile

# Start the scanner
$ cd /opt/http-observatory
$ HTTPOBS_DATABASE_USER="httpobsscanner" HTTPOBS_DATABASE_PASS="....." \
    /opt/http-observatory/httpobs/scripts/httpobs-scan-worker

# Start the API (in another terminal)
# HTTPOBS_DATABASE_USER="httpobsapi" HTTPOBS_DATABASE_PASS="....." \
    uwsgi --http :57001 --wsgi-file httpobs/website/main.py --processes 8 --callable app --master

Authors

  • April King

License

  • Mozilla Public License Version 2.0

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

httpobs_final-0.9.3.tar.gz (1.1 MB view details)

Uploaded Source

Built Distribution

httpobs_final-0.9.3-py3-none-any.whl (1.2 MB view details)

Uploaded Python 3

File details

Details for the file httpobs_final-0.9.3.tar.gz.

File metadata

  • Download URL: httpobs_final-0.9.3.tar.gz
  • Upload date:
  • Size: 1.1 MB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/4.0.1 CPython/3.8.10

File hashes

Hashes for httpobs_final-0.9.3.tar.gz
Algorithm Hash digest
SHA256 044193fa9b69f6293642b61ddba1df54ffb5b63f54c691afc3c30c782996feba
MD5 c1bc4cbd2d11ec272181421622668787
BLAKE2b-256 0f48110327c7df96aef98eacbd380f4cf6326cbcd00a6113ac5b8244b979c7aa

See more details on using hashes here.

File details

Details for the file httpobs_final-0.9.3-py3-none-any.whl.

File metadata

File hashes

Hashes for httpobs_final-0.9.3-py3-none-any.whl
Algorithm Hash digest
SHA256 76eb6b4020eb02fb288126c91c28d3923fb9c9228877f33e9278183009d29de5
MD5 42f760bfcc26b9c54d862ba3f0e3f3c8
BLAKE2b-256 b9b7a5816ed55cdd3878de18d040b9e50db289e63c2f336a70c0787ade55482b

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page