OWASP Security Header Checker Tool

Javelin
5 min readSep 7, 2024

--

Source Code link

Download link

What are OWASP Security Headers?

OWASP (Open Web Application Security Project) is a nonprofit organization focused on improving the security of software. One of its key projects is the OWASP Secure Headers Project, which provides guidance on HTTP response headers that can enhance the security of web applications. These headers help protect against various types of attacks, such as cross-site scripting (XSS), clickjacking, and data theft.

Importance of Security Headers

Security headers are crucial for the following reasons:

  • Protection Against Attacks: They help mitigate common web vulnerabilities by instructing the browser on how to handle content. For example, the Content-Security-Policy header can prevent XSS attacks by controlling which resources can be loaded.
  • Data Integrity: Headers like Strict-Transport-Security ensure that communications between the client and server are secure, preventing man-in-the-middle attacks.
  • User Privacy: Headers such as Referrer-Policy and Permissions-Policy help protect user data and privacy by controlling what information is shared with third parties.
  • Compliance: Many regulations and standards require the implementation of certain security measures, including the use of security headers.
  • Best Practices: Implementing security headers is considered a best practice in web development, contributing to a more secure application overall.

OWASP security headers can be implemented in various ways, depending on the architecture of your web application and the technologies you are using. Here are the primary methods for implementing these headers:

1. Web Server Configuration

Most web servers allow you to set HTTP headers directly in their configuration files. This is often the most efficient way to implement security headers, as it applies to all responses served by the server. Here are examples for popular web servers:

  • Apache: You can add security headers in the .htaccess file or the main configuration file (httpd.conf) using the Header directive. For example:
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "DENY"
Header set Strict-Transport-Security "max-age=31536000; includeSubDomains"
  • Nginx: You can set headers in the server block of your configuration file:
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "DENY";
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

2. Server-Side Programming Languages

If you are using a server-side programming language (like PHP, Python, Node.js, etc.), you can set HTTP headers programmatically in your application code. This allows for more dynamic control over which headers are sent based on specific conditions. Here are examples in different languages:

PHP:

header("X-Content-Type-Options: nosniff");
header("X-Frame-Options: DENY");
header("Strict-Transport-Security: max-age=31536000; includeSubDomains");

Python (Flask):

from flask import Flask, make_response

app = Flask(__name__)

@app.after_request
def apply_security_headers(response):
response.headers["X-Content-Type-Options"] = "nosniff"
response.headers["X-Frame-Options"] = "DENY"
response.headers["Strict-Transport-Security"] = "max-age=31536000; includeSubDomains"
return response

Node.js (Express):

const express = require('express');
const app = express();

app.use((req, res, next) => {
res.setHeader("X-Content-Type-Options", "nosniff");
res.setHeader("X-Frame-Options", "DENY");
res.setHeader("Strict-Transport-Security", "max-age=31536000; includeSubDomains");
next();
});

3. Meta Tags

While HTTP headers are the preferred method for implementing security measures, some security headers can also be set using HTML meta tags. This method is less effective than server-side headers because meta tags are processed after the HTTP headers, but it can still provide a layer of security, especially for content security policies. Here’s how you can use meta tags:

<meta http-equiv="Content-Security-Policy" content="default-src 'self';">
<meta name="referrer" content="no-referrer">

Warning: Setting some headers, like X-Frame-Options, inside the <meta> element (e.g., <meta http-equiv=”X-Frame-Options” content=”deny”>) has no effect and should not be used! Headers like X-Frame-Options are only enforced via HTTP headers.

How to Use the OWASP Security Header Checker Tool

The OWASP Security Header Checker Tool provides a user-friendly interface for checking the security headers of a specified URL. Here’s a step-by-step guide on how to use the tool effectively:

Step 1: Launch the Tool

  1. Locate the Executable: Find the Check.exe file on your computer.
  2. Run the Application: Double-click on Check.exe to launch the tool. A window will appear with the user interface.

Step 2: Input the URL

  • Enter the URL: In the “URL” field, type the website you want to check. Ensure that the URL starts with http:// or https://. If you omit the protocol, the tool will automatically default to https://.

Step 3: Set Crawl Time

  • Specify Crawl Time: In the “Crawl Time (Seconds)” field, enter the amount of time (in seconds) you want the tool to spend checking the headers. The default value is set to 30 seconds, but you can adjust this based on your needs.

Step 4: Start the Header Check

  • Click the “Check Headers” Button: Once you have entered the URL and set the crawl time, click the “Check Headers” button to initiate the process. The tool will begin fetching the security headers for the specified URL.

Step 5: Monitor the Progress

  • View Status Updates: As the tool checks the headers, it will display status updates in the status label at the bottom of the window. This will inform you of the current URL being tested and the remaining time for the crawl.

Step 6: Review the Results

  • Check the Results Table: The results will be displayed in a table format below the input fields. Each row will show:
  • Tested URL: The URL that was checked.
  • Header Name: The name of the security header being evaluated.
  • Status: Indicates whether the header is present (OK) or missing (Missing). If a header is missing but present in meta tags, it will indicate that as well.

Step 7: Stop the Process (if needed)

  • Click the “Stop Check” Button: If you wish to halt the crawling process at any time, click the “Stop Check” button. This will stop any ongoing checks and update the status label accordingly.

Step 8: Copy Information to Clipboard

  • Right-Click for Context Menu: If you want to copy specific information from the results, right-click on any row in the results table. A context menu will appear with options to copy:
  • Copy URL: Copies the tested URL to your clipboard.
  • Copy Header Name: Copies the name of the header to your clipboard.
  • Copy Status: Copies the status of the header to your clipboard.
  • Copy Value: Copies the Value of the header to your clipboard.

Conclusion

Using the OWASP Security Header Checker Tool (Check.exe) is straightforward and efficient. By following these steps, you can easily check the security headers of any website, helping you ensure that your web applications are secure and compliant with best practices. Regularly using this tool can aid in maintaining a robust security posture for your web applications.

--

--