First, and a pre-release. At a gist: core functionalities all done, just two or three QoL TODOs left.
A lightweight security header checker written in Go. It performs an HTTP request to a target endpoint and evaluates security-relevant response headers.
- Parses and evaluates common security headers such as
Strict-Transport-Security,X-Frame-Options,Content-Security-Policy, and more. - Data sourced and collated from multiple standards, including latest OWASP guides.
- Incorporated CSPEvaluator.
- Supports custom headers and cookies.
- Supports API-only mode, checking only headers relevant to APIs.
- Cross-compiled static binaries.
- CLI, HTML, and CSV outputs.
HeadsUp - Web application security headers checker
Usage:
headsup [-h/--help] [-a/--api] [-v/--verbose] [-H/--headers 'header: val']
[-c/--cookies 'name=value'] URL
Positional Argument:
URL Full URL of the target website. Required.
Flags:
-h/--help Show this help message.
-a/--api Enable API mode. Only headers relevant to APIs would be checked.
Off by default.
-v/--verbose Print full report to STDOUT. Off by default.
-H/--headers Set custom headers to be sent with the request. Multiple
headers can be specified in a single argument when separated with
semicolons, such as 'Header1: val1; Header2: val2'.
-c/--cookies Set custom cookies to be sent with the request. Multiple
cookies can be specified in a single argument when separated with
semicolons, such as 'name1=val1; name2=val2'.