Module 05 · HTTP Headers¶
Flag: --skip-headers
Audits HTTP response headers for security misconfigurations.
Required security headers¶
| Header | Severity if absent | Notes |
|---|---|---|
Content-Security-Policy |
MEDIUM | Also audits CSP value for unsafe-inline, unsafe-eval, wildcards |
X-Frame-Options |
MEDIUM | Clickjacking protection |
X-Content-Type-Options |
LOW | MIME sniffing prevention |
Referrer-Policy |
LOW | URL leakage control |
Permissions-Policy |
LOW | Browser API restrictions |
Cross-Origin-Opener-Policy |
LOW | Cross-origin isolation |
Cross-Origin-Resource-Policy |
LOW | Resource access control |
CSP deep audit¶
When CSP is present, the module further checks:
| CSP Condition | Severity |
|---|---|
unsafe-inline or unsafe-eval present |
MEDIUM |
Wildcard (*) in script-src or default-src |
HIGH |
Version-leaking headers¶
Headers that should not be present in production:
Server · X-Powered-By · X-AspNet-Version · X-AspNetMvc-Version · X-Generator · X-CF-Powered-By
Each flagged as LOW.
Cookie security flags¶
Every Set-Cookie response header is analysed for:
| Missing flag | Severity |
|---|---|
HttpOnly |
MEDIUM |
Secure |
MEDIUM |
SameSite |
LOW |
SameSite=None without Secure |
MEDIUM |
HTTP → HTTPS redirect¶
Checks whether HTTP requests are automatically upgraded to HTTPS.
| Condition | Severity |
|---|---|
| HTTP does not redirect to HTTPS | MEDIUM |
Cache-Control¶
| Condition | Severity |
|---|---|
Cache-Control header absent |
LOW |
Output files¶
headers/
├── response_headers.txt
└── initial_response.txt