A robust, dependency-free Python tool for auditing web security headers, referrer policies, and security-related cookie attributes. Designed for cybersecurity professionals to validate security postures across internal (VPN/Intranet) and external environments.
-
Zero External Dependencies: Runs on standard Python 3 libraries (
urllib,sys,socket). Nopip installrequired. -
Strict Validation: Doesn't just check if a header exists; checks if it is secure.
-
HSTS: Validates
max-age >= 1 year (31536000s)and presence ofincludeSubDomains. -
CSP: Flags dangerous directives like
unsafe-inline,unsafe-eval, ordefault-src *. -
Referrer-Policy: Enforces a strict allow-list of privacy-preserving policies.
-
Redirection Detection: Alerts you if the target URL redirects (e.g., from
httptohttpsor to a/loginpage) so you know exactly which page was audited. -
Auto-Fallback: Attempts a lightweight
HEADrequest first. If blocked (HTTP 405), automatically retries withGET. -
Cookie Auditing: Inspects every
Set-Cookieheader forSecure,HttpOnly, andSameSiteattributes.
Basic Open your terminal and run the script followed by the domains or full URLs you want to check.
python3 security_headers_check.py <domain1> <domain2> ...
Create Report Great for sharing results with DevOps. This creates a clean text file with all ANSI color codes automatically removed.
Use the -o (or --output) argument:
python3 security_headers_check.py example.com -o scan_results.txt
Also works for multiple domains:
python3 security_headers_check.py example-one.com example-two.com -o full_audit.txt
Check a root domain:
python3 security_headers_check.py example.com
Check a subdomain:
python3 security_headers_check.py app.example.com
Check a specific sensitive path:
Useful for verifying strict CSPs on admin pages or checking specific cookies on login pages.
python3 security_headers_check.py app.example.com/admin/login
The script enforces the following criteria. A header is only marked as PASS if it meets the specific security requirements below:
| Header | Pass Criteria |
|---|---|
Strict-Transport-Security |
Must have: max-age >= 31536000 (1 year) AND include includeSubDomains. |
Content-Security-Policy |
Checked for presence. Warns if it contains: unsafe-inline, unsafe-eval, or default-src *. |
X-Frame-Options |
Must be DENY or SAMEORIGIN. ALLOW-FROM is considered insecure (deprecated). |
X-Content-Type-Options |
Must be exactly nosniff. |
Referrer-Policy |
Must be one of: no-referrer, same-origin, strict-origin, strict-origin-when-cross-origin, origin, origin-when-cross-origin. |
Permissions-Policy |
Checked for presence. |
Cross-Origin-*-Policy |
Headers like Cross-Origin-Opener-Policy must NOT be unsafe-none. |
| Cookies | If Set-Cookie headers are detected, each cookie is individually analyzed for: 1) Secure: Cookie is only sent over HTTPS ; 2) HttpOnly: Cookie is not accessible via JavaScript ; and, 3) SameSite: Must be present and be Lax, Strict, or None (with Secure). |
Cookies
If Set-Cookie headers are detected, each cookie is individually analyzed for:
-
Secure: Ensures cookie is only sent over encrypted HTTPS connections. -
HttpOnly: Prevents JavaScript from accessing the cookie (Critical XSS mitigation). -
SameSite: Mitigates CSRF attacks (ExpectsLaxorStrict).
-
[✓] Green: Header is present and configured securely.
-
[✗] Red: Header is missing OR configured insecurely (e.g., HSTS
max-age=0orX-Frame-Options: ALLOW-FROM). -
[!] Yellow: Header is present but contains potentially weak directives (e.g., CSP
unsafe-inline warning). -
[ℹ] Blue: Informational messages (e.g., "Redirected to login page" or "No cookies found").