Search the Community
Showing results for tags 'h2t'.
-
h2t - HTTP Hardening Tool Description h2t is a simple tool to help sysadmins to hardening their websites. Until now h2t checks the website headers and recommends how to make it better. Dependences Python 3 colorama requests Install [Hidden Content] Usage h2t has subcommands: list and scan. ./h2t.py -h usage: h2t.py [-h] {list,l,scan,s} ... h2t - HTTP Hardening Tool positional arguments: {list,l,scan,s} sub-command help list (l) show a list of available headers in h2t catalog (that can be used in scan subcommand -H option) scan (s) scan url to hardening headers optional arguments: -h, --help show this help message and exit List Subcommand The list subcommand lists all headers cataloged in h2t and can show informations about it as a description, links for more information and for how to's. ./h2t.py list -h usage: h2t.py list [-h] [-p PRINT [PRINT ...]] [-B] [-a | -H HEADERS [HEADERS ...]] optional arguments: -h, --help show this help message and exit -p PRINT [PRINT ...], --print PRINT [PRINT ...] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -B, --no-banner don't print the h2t banner -a, --all list all available headers [default] -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] a list of headers to look for in the h2t catalog Scan Subcommand The scan subcommand perform a scan in a website looking for their headers. ./h2t.py scan -h usage: h2t.py scan [-h] [-v] [-a] [-g] [-b] [-H HEADERS [HEADERS ...]] [-p PRINT [PRINT ...]] [-i IGNORE_HEADERS [IGNORE_HEADERS ...]] [-B] [-E] [-n] [-u USER_AGENT] [-r | -s] url positional arguments: url url to look for optional arguments: -h, --help show this help message and exit -v, --verbose increase output verbosity: -v print response headers, -vv print response and request headers -a, --all scan all cataloged headers [default] -g, --good scan good headers only -b, --bad scan bad headers only -H HEADERS [HEADERS ...], --headers HEADERS [HEADERS ...] scan only these headers (see available in list sub- command) -p PRINT [PRINT ...], --print PRINT [PRINT ...] a list of additional information about the headers to print. For now there are two options: description and refs (you can use either or both) -i IGNORE_HEADERS [IGNORE_HEADERS ...], --ignore-headers IGNORE_HEADERS [IGNORE_HEADERS ...] a list of headers to ignore in the results -B, --no-banner don't print the h2t banner -E, --no-explanation don't print the h2t output explanation -o {normal,csv,json}, --output {normal,csv,json} choose which output format to use (available: normal, csv, json) -n, --no-redirect don't follow http redirects -u USER_AGENT, --user-agent USER_AGENT set user agent to scan request -k, --insecure don't verify SSL certificate as valid -r, --recommendation output only recommendations [default] -s, --status output actual status (eg: existent headers only) Output For now the output is only in normal mode. Understant it as follows: [+] Red Headers are bad headers that open a breach on your website or maybe show a lots of information. We recommend fix it. [+] Yellow Headers are good headers that is not applied on your website. We recommend apply them. [-] Green Headers are good headers that is already used in your website. It's shown when use -s flag. Example: Cookie HTTP Only would be good to be applied Cookie over SSL/TLS would be good to be applied Server header would be good to be removed Referrer-Policy would be good to be applied X-Frame-Options is already in use, nothing to do here X-XSS-Protection is already in use, nothing to do here Screenshots List h2t catalog Scan from file Scan url Scan verbose Headers information Source & Download [Hidden Content]