shcheck - Security Header Check


Python Pip

python3 -m pip install shcheck


git clone && cd shcheck

Usage [options] <target>


  -h, --help            show this help message and exit
  -p PORT, --port=PORT  Set a custom port to connect to
                        Set cookies for the request
                        Add headers for the request e.g. 'Header: value'
  -d, --disable-ssl-check
                        Disable SSL/TLS certificate validation
  -g, --use-get-method  Use GET method instead HEAD method
  -j, --json-output     Print the output in JSON format
  -i, --information     Display information headers
  -x, --caching         Display caching headers
  -k, --deprecated      Display deprecated headers
  --proxy=PROXY_URL     Set a proxy (Ex:
  --hfile=PATH_TO_FILE  Load a list of hosts from a flat file
  --colours=COLOURS     Set up a colour profile [dark/light/none]
  --colors=COLOURS      Alias for colours for US English



 > - santoru ..............................
 Simple tool to check security headers on a webserver 

[*] Analyzing headers of
[*] Effective URL:
[*] Header X-Frame-Options is present! (Value: DENY)
[*] Header X-Content-Type-Options is present! (Value: nosniff)
[*] Header Strict-Transport-Security is present! (Value: max-age=15552000; includeSubDomains)
[*] Header Content-Security-Policy is present! (Value: frame-ancestors 'self'; block-all-mixed-content; upgrade-insecure-requests;)
[*] Header Referrer-Policy is present! (Value: no-referrer)
[!] Missing security header: Permissions-Policy
[!] Missing security header: Cross-Origin-Embedder-Policy
[!] Missing security header: Cross-Origin-Resource-Policy
[!] Missing security header: Cross-Origin-Opener-Policy
[!] Headers analyzed for
[+] There are 5 security headers
[-] There are not 4 security headers

URL list