Skip to content
/ CSPy Public

Content Security Policy & HTTP Security Headers Analyzer

License

MIT license
3 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

alhamrizvi-cloud/CSPy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

ย 

History

34 Commits
src
src
ย 
ย 
.gitignore
.gitignore
ย 
ย 
BUILD.md
BUILD.md
ย 
ย 
Cargo.toml
Cargo.toml
ย 
ย 
LICENSE
LICENSE
ย 
ย 
QUICKSTART.md
QUICKSTART.md
ย 
ย 
README.md
README.md
ย 
ย 
SECURITY_GUIDE.md
SECURITY_GUIDE.md
ย 
ย 

Repository files navigation

image

CSPy - Content Security Policy & HTTP Security Headers Analyzer

Content Security Policy & HTTP Security Headers Analyzer

A blazing-fast Rust tool for analyzing security headers and detecting misconfigurations in web applications. Perfect for security audits, CI/CD integration, and compliance checks.

License: MIT Rust

๐ŸŽฏ Features

๐Ÿ” Comprehensive Security Checks

  • Content Security Policy (CSP): Detects unsafe-inline, unsafe-eval, wildcards, and missing directives
  • CORS: Identifies dangerous wildcard origins, credential misconfigurations, and overly permissive policies
  • HSTS: Validates max-age, checks for includeSubDomains and preload directives
  • X-Frame-Options: Prevents clickjacking with proper frame control analysis
  • Cookie Security: Validates Secure, HttpOnly, and SameSite flags
  • Additional Headers: Checks X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and more

โšก Performance & Usability

  • Fast: Async I/O powered by Tokio
  • Beautiful Output: Color-coded severity levels with clear recommendations
  • Multiple Formats: Pretty CLI output, JSON for automation, or minimal mode
  • Bulk Scanning: Scan multiple URLs from a file
  • Export Results: Save findings to file for reporting

๐Ÿ“ฆ Installation

From Source

git clone https://github.com/alhamrizvi-cloud/cspy.git
cd CSPy
cargo build --release

The binary will be at target/release/cspy

Using Cargo

cargo install --path .

๐Ÿš€ Usage

Basic Scan

cspy https://example.com

Scan Multiple URLs

cspy -i urls.txt

JSON Output

cspy https://example.com --output json

Save Results to File

cspy https://example.com -f report.json --output json

Silent Mode

cspy https://example.com --silent

Custom User-Agent

cspy https://example.com -A "MyScanner/1.0"

๐Ÿ“‹ Command-Line Options

Usage: cspy [OPTIONS] [URL]

Arguments:
  [URL]  Target URL to scan

Options:
  -i, --input <FILE>           Input file containing URLs (one per line)
  -o, --output <FORMAT>        Output format [default: pretty] [possible values: pretty, json, minimal]
  -f, --output-file <FILE>     Save results to file
  -s, --silent                 Silent mode (minimal output)
  -r, --redirect               Follow redirects [default: true]
      --max-redirects <NUM>    Maximum redirects to follow [default: 10]
  -t, --timeout <SECONDS>      Request timeout in seconds [default: 10]
  -A, --user-agent <STRING>    Custom User-Agent
  -h, --help                   Print help
  -V, --version                Print version

๐ŸŽจ Example Output

 ______     ______     ______   __  __    
/\  ___\   /\  ___\   /\  == \ /\ \_\ \   
\ \ \____  \ \___  \  \ \  _-/ \ \____ \  
 \ \_____\  \/\_____\  \ \_\    \/\_____\ 
  \/_____/   \/_____/   \/_/     \/_____/ 
                                          
Content Security Policy & HTTP Security Headers Analyzer
By Security Researcher | v0.1.0

โ†’ https://example.com
  Status: 200
  โš  Issues found:
    2 High
    3 Medium
    1 Low

  [HIGH] CSP: CSP allows 'unsafe-inline'
    โ†’ Remove 'unsafe-inline' and use nonces or hashes for inline scripts/styles

  [MEDIUM] HSTS: Missing Strict-Transport-Security header
    โ†’ Add 'Strict-Transport-Security: max-age=31536000; includeSubDomains; preload' to enforce HTTPS

  [MEDIUM] X-Frame-Options: Missing X-Frame-Options header
    โ†’ Add 'X-Frame-Options: DENY' or use CSP 'frame-ancestors 'none'' to prevent clickjacking

๐Ÿ”’ Security Checks Explained

Content Security Policy (CSP)

Checks for:

  • โŒ Missing CSP header
  • โŒ unsafe-inline or unsafe-eval
  • โŒ Wildcard sources in script-src
  • โŒ Missing default-src or object-src
  • โŒ Unsafe base-uri or form-action

Best Practice:

Content-Security-Policy: default-src 'self'; script-src 'self' cdn.example.com; object-src 'none'; base-uri 'self'

CORS

Checks for:

  • โŒ Wildcard origin with credentials (CRITICAL)
  • โŒ Null origin allowed
  • โŒ HTTP origins
  • โŒ Wildcard methods or headers

Best Practice:

Access-Control-Allow-Origin: https://trusted.example.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Credentials: true

HSTS

Checks for:

  • โŒ Missing HSTS header
  • โŒ max-age less than 6 months
  • โŒ Missing includeSubDomains
  • โŒ Missing preload directive

Best Practice:

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Cookies

Checks for:

  • โŒ Missing Secure flag
  • โŒ Missing HttpOnly flag
  • โŒ Missing SameSite attribute
  • โŒ Invalid __Host- or __Secure- prefix usage

Best Practice:

Set-Cookie: sessionid=abc123; Secure; HttpOnly; SameSite=Strict; Path=/

๐ŸŽ“ Learning Resources

Security Standards

Rust HTTP

๐Ÿ’ผ Use Cases

โœ… Security Audits: Quickly scan applications for header misconfigurations
โœ… CI/CD Integration: Automate security checks in your pipeline
โœ… Compliance: Validate PCI-DSS, SOC2, and other security requirements
โœ… Bug Bounty: Find low-hanging fruit in header configurations
โœ… DevSecOps: Shift-left security testing

๐Ÿ› ๏ธ Development

Project Structure

cspy/
โ”œโ”€โ”€ src/
โ”‚   โ”œโ”€โ”€ main.rs           # CLI and entry point
โ”‚   โ”œโ”€โ”€ scanner.rs        # HTTP client and orchestration
โ”‚   โ”œโ”€โ”€ output.rs         # Output formatting
โ”‚   โ””โ”€โ”€ checks/
โ”‚       โ”œโ”€โ”€ mod.rs        # Shared types
โ”‚       โ”œโ”€โ”€ csp.rs        # CSP analyzer
โ”‚       โ”œโ”€โ”€ cors.rs       # CORS analyzer
โ”‚       โ”œโ”€โ”€ hsts.rs       # HSTS analyzer
โ”‚       โ”œโ”€โ”€ xframe.rs     # X-Frame-Options analyzer
โ”‚       โ””โ”€โ”€ cookies.rs    # Cookie security analyzer
โ”œโ”€โ”€ Cargo.toml
โ””โ”€โ”€ README.md

Running Tests

cargo test

Building for Release

cargo build --release

๐Ÿ“ Example Input File

Create a urls.txt file:

https://example.com
https://api.example.com
https://admin.example.com
https://checkout.example.com

Then scan:

cspy -i urls.txt -f results.json --output json

๐Ÿค Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

  1. Fork the repository
  2. Create your feature branch (git checkout -b feature/AmazingFeature)
  3. Commit your changes (git commit -m 'Add some AmazingFeature')
  4. Push to the branch (git push origin feature/AmazingFeature)
  5. Open a Pull Request

๐Ÿ“œ License

This project is licensed under the MIT License - see the LICENSE file for details.

๐Ÿ™ Acknowledgments

  • OWASP for security best practices
  • Mozilla for web security guidelines
  • The Rust community for amazing tools

๐Ÿ”ฎ Roadmap

  • WAF detection
  • Technology fingerprinting
  • HTTP/2 support
  • Comparative analysis (HTTP vs HTTPS)
  • Custom rule engine
  • PDF report generation
  • Web UI dashboard

Made with โค๏ธ and Rust

For security researchers, by security researchers

About

Content Security Policy & HTTP Security Headers Analyzer

Topics

rust cors csp hsts owasp content-security-policy bug-bounty web-security pentesting bypass security-scanner security-headers rust-security

Resources

Readme

License

MIT license
Activity

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages