Summary

rfc-st/humble is a fast, security-focused HTTP header analyzer designed for technical users. It automates the detection of security misconfigurations, missing headers, and potential vulnerabilities in HTTP responses, providing actionable insights and exportable reports to aid in web application security assessments.

How It Works

The tool parses HTTP response headers, performing extensive checks across 62 security-related headers. It identifies missing essential headers, flags headers used for fingerprinting, detects deprecated or insecure values, and analyzes Content Security Policy (CSP) compliance. humble can also integrate with testssl.sh for TLS/SSL vulnerability checks and offers an AI-powered analytics option for deeper insights.

Quick Start & Requirements

• Primary Install:
  • Source: Clone the repository, set up a Python 3.11+ virtual environment, and run pip3 install -r requirements.txt.
  • Docker: Build the image using docker build -t humble:TAG . and run via docker run.
  • Kali Linux: Install via sudo apt install humble.
• Prerequisites: Python 3.11+, Docker (for Docker install), testssl.sh (optional, for TLS checks), pytest/pytest-cov (for unit tests).
• Links: GitHub, Docs.

Highlighted Details

• Performs 15 checks for missing headers, 1280 for fingerprinting, and 158 for deprecated/insecure values.
• Analyzes CSP Level 3 compliance (28 checks).
• Supports OWASP Secure Headers Project best practices.
• Exports results to CSV, HTML, JSON, PDF, XLSX, XML, and TXT formats.
• Integrates with testssl.sh for comprehensive SSL/TLS vulnerability scanning.
• Includes browser support data via "Can I use" integration.
• Tested across Docker, Kali Linux, macOS, and Windows environments.

Maintenance & Community

The project is regularly updated. While specific community channels like Discord/Slack are not listed, contribution guidelines, bug reporting, and feature requests are managed via GitHub, with numerous acknowledgements suggesting active community engagement.

Licensing & Compatibility

Licensed under the permissive MIT license, allowing for broad use, modification, and distribution, including in commercial and closed-source projects.

Limitations & Caveats

The tool's strictness may flag experimental headers or configurations that require manual validation. testssl.sh is a prerequisite for TLS/SSL checks. Unit test code coverage reporting is currently disabled on Windows.