Skip to content

gildasio/h2t

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

11 Commits
docs
docs
 
 
headers
headers
 
 
src
src
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
h2t.py
h2t.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

h2t - HTTP Hardening Tool

Description

h2t is a simple tool to help sysadmins to hardening their websites.

Until now h2t checks the website headers and recommends how to make it better.

Dependences

Install

$ git clone https://github.com/gildasio/h2t $ cd h2t $ pip install -r requirements.txt $ ./h2t.py -h

Usage

h2t has subcommands: list and scan.

$ ./h2t.py -h | /~\ | |/~\ ./~|~ | |/__ | https://github.com/gildasio/h2t usage: h2t.py [-h] {list,l,scan,s} ... h2t - HTTP Hardening Tool positional arguments: {list,l,scan,s} sub-command help list (l) show a list of cataloged headers (allowed for use in -H scan option) scan (s) scan url to hardening headers optional arguments: -h, --help show this help message and exit

List Subcommand

The list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to's.

$ ./h2t.py list -h ____ ____ ____ ||h |||2 |||t || ||__|||__|||__|| |/__\|/__\|/__\| https://github.com/gildasio/h2t usage: h2t.py list [-h] [-v] [-a | -H HEADERS [HEADERS ...]] optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity -a, --all List all cataloged headers -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] a list of headers to show from catalog

Scan Subcommand

The scan subcommand perform a scan in a website looking for their headers.

$ ./h2t.py s -h _ ___ _ | | |__ \| | | |__ ) | |_ | '_ \ / /| __| | | | |/ /_| |_ |_| |_|____|\__| https://github.com/gildasio/h2t usage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]] [-n] [-u USER_AGENT] [-r | -s] url positional arguments: url url to look for optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity -a, --all look at all cataloged headers -g, --good look at good headers only -b, --bad look at bad headers only -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] a list of headers to look for (see available in list sub-command) -n, --no-redirect doesn't follow http redirects -u USER_AGENT, --user-agent USER_AGENT set user agent to request -r, --recommendation output only recommendations -s, --status output actual status (eg: existent headers only)

Output

For now the output is only in normal mode. Understant it as follows:

  • [+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it.
  • [+] Yellow Headers are good headers that is not applied on your website. We recommend apply them.
  • [-] Green Headers are good headers that is already used in your website. It's shown when use -s flag.

Example:

h2t agains hack.me

  • Cookie HTTP Only would be good to be applied
  • Cookie over SSL/TLS would be good to be applied
  • Server header would be good to be removed
  • Referrer-Policy would be good to be applied
  • X-Frame-Options is already in use, nothing to do here
  • X-XSS-Protection is already in use, nothing to do here

Screenshots

Help

h2t help menu

h2t help menu for list subcommand

h2t help menu for scan subcommand

My website

h2t against my website

About

h2t (HTTP Hardening Tool) scans a website and suggests security headers to apply

certbahia.pop-ba.rnp.br/projects/h2t/

Topics

http security hardening headers defense web-application-security

Resources

Readme

License

MIT license

Contributing

Contributing
Activity

Stars

411 stars

Watchers

8 watching

Forks

36 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 6

Languages