Skip to content
/ headersentinel Public

HeaderSentinel is a high-performance, professional HTTP security analyzer written in Go. It performs deep inspection of HTTP response headers and status behavior to identify security misconfigurations, calculate risk scores, and provide actionable remediation advice.

0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

offsec-toolkit/headersentinel

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8 Commits
.github/workflows
.github/workflows
 
 
cmd/headersentinel
cmd/headersentinel
 
 
internal
internal
 
 
.gitattributes
.gitattributes
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
go.mod
go.mod
 
 

Repository files navigation

🛡️ HeaderSentinel

Go Security License Quality

HeaderSentinel is a high-performance, professional HTTP security analyzer written in Go. It performs deep inspection of HTTP response headers and status behavior to identify security misconfigurations, calculate risk scores, and provide actionable remediation advice.

🎯 Purpose

Modern web security relies heavily on correctly configured HTTP headers. HeaderSentinel empowers security engineers and developers to:

  • Audit security headers (CSP, HSTS, XFO, etc.) against best practices.
  • Trace redirect chains to detect insecure downgrades (HTTPS -> HTTP).
  • Analyze information disclosure via Server and X-Powered-By headers.
  • Benchmark security posture with an automated scoring system.
  • Integrate with CI/CD pipelines via JSON and SARIF exports.

✨ Features

  • 🚀 Ultra-Fast: Built with Go for maximum concurrency and performance.
  • 🔍 Deep Analysis: Smart logic to detect misconfigured values, not just missing headers.
  • 🔁 Redirect Tracker: Complete visibility into redirect hops and security transitions.
  • 📊 Security Scoring: Automated 0-100 score based on risk severity (Critical to Info).
  • 🍪 Cookie Security: Analyze Set-Cookie flags (HttpOnly, Secure, SameSite).
  • 🤖 CI/CD Mode: Automated failure via -fail-threshold for pipeline integration.
  • 📁 Export Ready: Support for Table, JSON, and SARIF (Static Analysis Results Interchange Format) outputs.
  • 🛠️ Bulk Processing: Scan thousands of URLs concurrently using simple input files.
  • 📦 Zero Dependencies: Minimal footprint, easy to install and deploy.

🚀 Installation

Install HeaderSentinel directly using the Go toolchain. Using the -v flag is recommended to see the installation progress:

go install -v github.com/ismailtsdln/HeaderSentinel/cmd/headersentinel@latest

This will download, compile, and install the headersentinel binary into your $GOPATH/bin directory. Ensure that this directory is in your system's PATH to run the tool from anywhere.

🛠️ Usage

Quick Scan

Analyze a single target with default settings:

headersentinel -u https://example.com

Bulk Analysis

Scan multiple targets from a file with high concurrency:

headersentinel -i targets.txt -c 50

Reporting

Generate machine-readable reports for automation:

headersentinel -u https://example.com -json report.json -sarif results.sarif

Options Breakdown

Flag Description Default
-u Single URL to scan ""
-i Path to bulk input file ""
-c Concurrency level 10
-t Timeout in seconds 10
-follow Follow redirects true
-json Path to save JSON report ""
-sarif Path to save SARIF report ""
-fail-threshold Exit with code 1 if score < threshold 0
-silent Suppress progress messages false
-fix Show Nginx/Apache remediation snippets false

🧠 Security Checks

Header Risk if Missing/Bad Description
Content-Security-Policy High Prevents XSS and data injection attacks.
Strict-Transport-Security Medium Enforces HTTPS communication.
X-Frame-Options Medium Mitigates Clickjacking attacks.
X-Content-Type-Options Low Prevents MIME-sniffing vulnerabilities.
Referrer-Policy Low Controls information leakage in Referer headers.
Permissions-Policy Low Restricts access to sensitive browser APIs.
Cross-Origin-* Low Isolates documents and prevents side-channel attacks.
Server / X-Powered-By Low Prevents information disclosure about the tech stack.

📊 Scoring System

HeaderSentinel assigns a security score based on the weighted severity of findings:

  • Excellent (90-100): Strong security posture.
  • Low Risk (70-89): Minor improvements possible.
  • Medium Risk (50-69): Significant security configurations missing.
  • High Risk (30-49): Critical gaps in header security.
  • Critical (0-29): Highly vulnerable configuration.

🏗️ Architecture

The project follows a clean, modular structure for maintainability and performance:

  • cmd/headersentinel: Main CLI entry point.
  • internal/scanner: Analysis logic for headers and redirects.
  • internal/rules: Definitions of security standards and risk levels.
  • internal/scoring: Mathematical calculation of the security score.
  • internal/report: Multi-format reporting engine.

📜 License

Distributed under the MIT License. See LICENSE for more information.

🤝 Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Developed with ❤️ by Ismail Tasdelen

About

HeaderSentinel is a high-performance, professional HTTP security analyzer written in Go. It performs deep inspection of HTTP response headers and status behavior to identify security misconfigurations, calculate risk scores, and provide actionable remediation advice.

Topics

http header web-security web-sec-scanner app-security header-security

Resources

Readme
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages