hedra 2.0.2 → 2.1.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 14f6f09e8b0bf8318f6f190c0f671aaa901f08a575983ed8c1cad890c965e2a7
-  data.tar.gz: 74054507d7d981da9fedcd4830d66e6a0c7207c2d2c399f958d814c470d843d9
+  metadata.gz: b852e94cfa441a1597fb40438491f15939625b1da90734dcb0a05cb3ac06609a
+  data.tar.gz: 00bd6a8bccc0be126058ec0b8795f1b193d5e42c642041e2d5415955ccef9e81
 SHA512:
-  metadata.gz: d4a3fde0ef57eb572aba47c037a874461e140da579f644dad0b5d8ae53e09917433481734a010be02bb80a605b030f11e70b8a1c38ef64d2925f88090d58172d
-  data.tar.gz: 85a6bc6e254bc2636d38b58bb02931d52aeabe77c1cf18cd2667b99256c9b5fb1c3508e93e595e9ef38f93be628e02e96d1f1c49b54ceeb53e0d73aeead9c39d
+  metadata.gz: 908b5f2e81cefb60ee58af16e89e50f092fc7338af99bd89d1b47168a8b0ef1d65044344666f46581246405c291d69fe61a1b2e930234829d48b8003df3bfa65
+  data.tar.gz: 309c0cf041eb18ab775696d8b4ca9a8771cf8c57c75709ad86f422c42ee42aebb731f620d2f573ec8edc1f338a4a7d66ee2f8078939f3c75ed33c825c847c550

data/README.md

@@ -150,6 +150,30 @@ hedra plugin remove plugin_name
 - Signature algorithm strength
 - Key size validation
 - Chain verification
+- TLS version detection (TLS 1.2/1.3)
+- Certificate Transparency log verification
+
+**Protocol Security:**
+- HTTP/2 and HTTP/3 detection
+- TLS version enforcement
+- Insecure protocol warnings
+
+**CORS Security:**
+- Access-Control-Allow-Origin validation
+- Wildcard and null origin detection
+- Credentials with wildcard prevention
+- Dangerous HTTP methods detection
+- Sensitive header exposure checks
+
+**Subresource Integrity (SRI):**
+- External script/stylesheet SRI validation
+- Crossorigin attribute verification
+- Same-origin resource detection
+
+**DNS Security:**
+- DNSSEC validation
+- CAA (Certificate Authority Authorization) records
+- DNS-based security policy enforcement
 
 **RFC 9116:**
 - security.txt file presence and format
@@ -375,6 +399,80 @@ hedra scan -f urls.txt --output report.html --format html
 
 Interactive report with sorting, filtering, and charts.
 
+## Advanced Security Checks
+
+### Subresource Integrity (SRI)
+Validates that external scripts and stylesheets use SRI attributes to prevent tampering:
+```bash
+hedra scan https://myapp.com --check-sri
+```
+
+**Checks:**
+- External resources without integrity attributes
+- Missing crossorigin attributes
+- Same-origin vs cross-origin detection
+
+### CORS Policy Analysis
+Validates Cross-Origin Resource Sharing configuration for security issues:
+```bash
+hedra scan https://api.myapp.com --check-cors
+```
+
+**Detects:**
+- Wildcard origins with credentials (critical vulnerability)
+- Null origin allowance
+- Insecure HTTP origins
+- Dangerous HTTP methods (TRACE, TRACK)
+- Overly permissive configurations
+- Sensitive header exposure
+
+### Protocol Version Detection
+Checks HTTP and TLS protocol versions:
+```bash
+hedra scan https://myapp.com --check-protocol
+```
+
+**Validates:**
+- HTTP/1.1 vs HTTP/2 vs HTTP/3
+- TLS 1.2/1.3 enforcement
+- Deprecated protocol detection (SSLv3, TLS 1.0/1.1)
+- Protocol upgrade recommendations
+
+### Certificate Transparency
+Verifies certificates are logged in CT logs:
+```bash
+hedra audit https://myapp.com --check-ct
+```
+
+**Checks:**
+- SCT (Signed Certificate Timestamp) presence
+- Multiple independent CT logs
+- SCT delivery methods (extension, OCSP, TLS)
+
+### DNS Security
+Validates DNS-level security features:
+```bash
+hedra audit https://myapp.com --check-dns
+```
+
+**Validates:**
+- DNSSEC enablement
+- CAA records for certificate issuance control
+- CAA tags (issue, issuewild, iodef)
+- DNS-based security policies
+
+### Combined Advanced Scan
+Run all advanced checks together:
+```bash
+hedra audit https://myapp.com \
+  --check-sri \
+  --check-cors \
+  --check-protocol \
+  --check-ct \
+  --check-dns \
+  --output comprehensive-report.json
+```
+
 ## Real-World Examples
 
 ### Basic Security Audit
@@ -382,6 +480,23 @@ Interactive report with sorting, filtering, and charts.
 hedra scan https://myapp.com
 ```
 
+### Comprehensive Security Audit with All Checks
+```bash
+hedra audit https://myapp.com \
+  --check-sri \
+  --check-ct \
+  --check-dns \
+  --json \
+  --output full-audit.json
+```
+
+### Quick CORS and Protocol Check
+```bash
+hedra scan https://api.myapp.com \
+  --check-cors \
+  --check-protocol
+```
+
 ### Production Deployment Check
 ```bash
 # Save baseline after deployment
@@ -503,5 +618,3 @@ hedra scan https://slow-server.com --timeout 60
 MIT License - see [LICENSE](LICENSE) for details.
 
 ---
-
-**Built by [BlackStack](https://github.com/bl4ckstack)** • Securing the web, one header at a time.

data/lib/hedra/analyzer.rb

@@ -61,15 +61,22 @@ module Hedra
       }
     }.freeze
 
-    def initialize(check_certificates: true, check_security_txt: false)
+    def initialize(check_certificates: true, check_security_txt: false, check_sri: false, check_cors: true, check_protocol: true, check_ct: false, check_dns: false)
       @plugin_manager = PluginManager.new
       @scorer = Scorer.new
       @certificate_checker = check_certificates ? CertificateChecker.new : nil
       @security_txt_checker = check_security_txt ? SecurityTxtChecker.new : nil
+      @sri_checker = check_sri ? SriChecker.new : nil
+      @cors_checker = check_cors ? CorsChecker.new : nil
+      @protocol_checker = check_protocol ? ProtocolChecker.new : nil
+      @ct_checker = check_ct ? CtChecker.new : nil
+      @dns_checker = check_dns ? DnsChecker.new : nil
+      @custom_rules = []
+      @mutex = Mutex.new # Thread safety for custom rules
       load_custom_rules
     end
 
-    def analyze(url, headers, http_client: nil)
+    def analyze(url, headers, http_client: nil, response: nil, html_content: nil)
       normalized_headers = normalize_headers(headers)
       findings = []
 
@@ -102,6 +109,24 @@ module Hedra
       # Check security.txt
       findings.concat(@security_txt_checker.check(url, http_client)) if @security_txt_checker && http_client
 
+      # Check Subresource Integrity (SRI)
+      if @sri_checker
+        @sri_checker.instance_variable_set(:@http_client, http_client) if http_client
+        findings.concat(@sri_checker.check(url, html_content))
+      end
+
+      # Check CORS configuration
+      findings.concat(@cors_checker.check(normalized_headers, url)) if @cors_checker
+
+      # Check HTTP/TLS protocol versions
+      findings.concat(@protocol_checker.check(url, response)) if @protocol_checker
+
+      # Check Certificate Transparency
+      findings.concat(@ct_checker.check(url)) if @ct_checker
+
+      # Check DNS security (DNSSEC, CAA)
+      findings.concat(@dns_checker.check(url)) if @dns_checker
+
       # Calculate security score
       score = @scorer.calculate(normalized_headers, findings)
 
@@ -119,9 +144,15 @@ module Hedra
     def normalize_headers(headers)
       normalized = {}
       headers.each do |key, value|
+        next if value.nil? # Skip nil values
+
         normalized_key = key.to_s.downcase
         # Handle array values (multiple header values)
-        normalized_value = value.is_a?(Array) ? value.join(', ') : value.to_s
+        normalized_value = if value.is_a?(Array)
+                             value.compact.join(', ')
+                           else
+                             value.to_s
+                           end
         normalized[normalized_key] = normalized_value
       end
       normalized
@@ -253,30 +284,38 @@ module Hedra
     def apply_custom_rules(headers)
       findings = []
 
-      @custom_rules.each do |rule|
-        header_name = rule['header'].downcase
-        pattern = Regexp.new(rule['pattern']) if rule['pattern']
+      @mutex.synchronize do
+        @custom_rules.each do |rule|
+          header_name = rule['header'].downcase
+          pattern = rule['pattern'] ? Regexp.new(rule['pattern']) : nil
 
-        if rule['type'] == 'missing' && !headers.key?(header_name)
-          findings << {
-            header: header_name,
-            issue: rule['message'],
-            severity: rule['severity'].to_sym,
-            recommended_fix: rule['fix']
-          }
-        elsif rule['type'] == 'pattern' && headers[header_name]
-          if pattern && headers[header_name] =~ pattern
+          if rule['type'] == 'missing' && !headers.key?(header_name)
             findings << {
               header: header_name,
               issue: rule['message'],
               severity: rule['severity'].to_sym,
               recommended_fix: rule['fix']
             }
+          elsif rule['type'] == 'pattern' && headers[header_name]
+            if pattern && headers[header_name] =~ pattern
+              findings << {
+                header: header_name,
+                issue: rule['message'],
+                severity: rule['severity'].to_sym,
+                recommended_fix: rule['fix']
+              }
+            end
           end
         end
       end
 
       findings
     end
+
+    def reload_custom_rules
+      @mutex.synchronize do
+        load_custom_rules
+      end
+    end
   end
 end

data/lib/hedra/banner.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Hedra
+  # Display banner and security quotes
+  class Banner
+    SECURITY_QUOTES = [
+      "Security is not a product, but a process. - Bruce Schneier",
+      "The only truly secure system is one that is powered off. - Gene Spafford",
+      "HTTPS everywhere is not optional, it's essential. - Let's Encrypt",
+      "A chain is only as strong as its weakest link. - Security Headers",
+      "Defense in depth: Layer your security like an onion. - OWASP",
+      "CSP is your first line of defense against XSS attacks.",
+      "HSTS ensures your users always connect securely.",
+      "Security headers are the low-hanging fruit of web security.",
+      "TLS 1.3: Faster, stronger, more secure.",
+      "X-Frame-Options: Because clickjacking is still a thing.",
+      "Trust, but verify. Then verify again. - Security Principle",
+      "Security is a journey, not a destination.",
+      "Good security is invisible until it's needed.",
+      "Headers don't lie, but they can tell you everything.",
+      "CORS: Sharing is caring, but be careful who you trust.",
+      "Every header matters. Every connection counts.",
+      "Secure by default, not by accident.",
+      "Your security posture is only as good as your weakest header.",
+      "SSL/TLS: The foundation of web security.",
+      "Content-Security-Policy: Your app's security bouncer."
+    ].freeze
+
+    ASCII_ART = <<~ART
+       _   _          _           
+      | | | | ___  __| |_ __ __ _ 
+      | |_| |/ _ \\/ _` | '__/ _` |
+      |  _  |  __/ (_| | | | (_| |
+      |_| |_|\\___|\\__,_|_|  \\__,_|
+    ART
+
+    def self.show
+      require 'pastel'
+      pastel = Pastel.new
+
+      puts "\n"
+      puts pastel.cyan.bold(ASCII_ART)
+      puts "  #{pastel.bold('Security Header Analyzer')} #{pastel.dim("v#{VERSION}")}"
+      puts "  #{pastel.italic.dim(random_quote)}"
+      puts "\n"
+      puts "  Usage: #{pastel.yellow('hedra')} #{pastel.green('[command]')} #{pastel.dim('[options]')}"
+      puts "  Run '#{pastel.yellow('hedra help')}' for more information"
+      puts "\n"
+    end
+
+    def self.random_quote
+      SECURITY_QUOTES.sample
+    end
+  end
+end

data/lib/hedra/cache.rb

@@ -14,22 +14,38 @@ module Hedra
       @cache_dir = cache_dir || File.join(Config::CONFIG_DIR, 'cache')
       @ttl = ttl
       @verbose = verbose
+      @mutex = Mutex.new # Thread safety for cache operations
+      @memory_cache = {} # In-memory cache to reduce disk I/O
+      @memory_cache_size = 100
       FileUtils.mkdir_p(@cache_dir)
       cleanup_if_needed
     end
 
     def get(key)
-      cache_file = cache_path(key)
-      return nil unless File.exist?(cache_file)
-
-      data = JSON.parse(File.read(cache_file))
-      
-      if expired?(data['timestamp'])
-        File.delete(cache_file) # Clean up expired file immediately
-        return nil
-      end
+      @mutex.synchronize do
+        # Check memory cache first
+        if @memory_cache.key?(key)
+          cached = @memory_cache[key]
+          return cached[:value] unless expired?(cached[:timestamp])
+
+          @memory_cache.delete(key)
+        end
+
+        cache_file = cache_path(key)
+        return nil unless File.exist?(cache_file)
+
+        data = JSON.parse(File.read(cache_file))
 
-      data['value']
+        if expired?(data['timestamp'])
+          File.delete(cache_file) # Clean up expired file immediately
+          return nil
+        end
+
+        # Store in memory cache
+        store_in_memory(key, data['timestamp'], data['value'])
+
+        data['value']
+      end
     rescue JSON::ParserError
       # Corrupted cache file, delete it
       File.delete(cache_file) if File.exist?(cache_file)
@@ -40,24 +56,33 @@ module Hedra
     end
 
     def set(key, value)
-      cache_file = cache_path(key)
-      data = {
-        'timestamp' => Time.now.to_i,
-        'value' => value
-      }
-      
-      # Atomic write to prevent corruption
-      temp_file = "#{cache_file}.tmp"
-      File.write(temp_file, JSON.generate(data))
-      File.rename(temp_file, cache_file)
+      @mutex.synchronize do
+        timestamp = Time.now.to_i
+        cache_file = cache_path(key)
+        data = {
+          'timestamp' => timestamp,
+          'value' => value
+        }
+
+        # Store in memory cache
+        store_in_memory(key, timestamp, value)
+
+        # Atomic write to prevent corruption
+        temp_file = "#{cache_file}.tmp"
+        File.write(temp_file, JSON.generate(data))
+        File.rename(temp_file, cache_file)
+      end
     rescue StandardError => e
       warn "Cache write error: #{e.message}" if @verbose
       File.delete(temp_file) if File.exist?(temp_file)
     end
 
     def clear
-      FileUtils.rm_rf(@cache_dir)
-      FileUtils.mkdir_p(@cache_dir)
+      @mutex.synchronize do
+        @memory_cache.clear
+        FileUtils.rm_rf(@cache_dir)
+        FileUtils.mkdir_p(@cache_dir)
+      end
     end
 
     def clear_expired
@@ -89,5 +114,16 @@ module Hedra
                  .first(cache_files.length - MAX_CACHE_SIZE + 100)
                  .each { |f| File.delete(f) rescue nil }
     end
+
+    def store_in_memory(key, timestamp, value)
+      # Limit memory cache size to prevent memory leaks
+      if @memory_cache.size >= @memory_cache_size
+        # Remove oldest entry
+        oldest_key = @memory_cache.keys.first
+        @memory_cache.delete(oldest_key)
+      end
+
+      @memory_cache[key] = { timestamp: timestamp, value: value }
+    end
   end
 end

data/lib/hedra/circuit_breaker.rb

@@ -16,14 +16,17 @@ module Hedra
       @last_failure_time = nil
       @state = :closed
       @half_open_attempts = 0
+      @mutex = Mutex.new # Thread safety
     end
 
     def call
-      raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
+      @mutex.synchronize do
+        raise CircuitOpenError, 'Circuit breaker is open' if open? && !should_attempt_reset?
 
-      if open? && should_attempt_reset?
-        @state = :half_open
-        @half_open_attempts = 0
+        if open? && should_attempt_reset?
+          @state = :half_open
+          @half_open_attempts = 0
+        end
       end
 
       begin
@@ -51,28 +54,34 @@ module Hedra
     private
 
     def on_success
-      if half_open?
-        @half_open_attempts += 1
-        if @half_open_attempts >= HALF_OPEN_ATTEMPTS
-          @state = :closed
+      @mutex.synchronize do
+        if half_open?
+          @half_open_attempts += 1
+          if @half_open_attempts >= HALF_OPEN_ATTEMPTS
+            @state = :closed
+            @failure_count = 0
+          end
+        else
           @failure_count = 0
         end
-      else
-        @failure_count = 0
       end
     end
 
     def on_failure
-      @failure_count += 1
-      @last_failure_time = Time.now
+      @mutex.synchronize do
+        @failure_count += 1
+        @last_failure_time = Time.now
 
-      return unless @failure_count >= @failure_threshold
+        return unless @failure_count >= @failure_threshold
 
-      @state = :open
+        @state = :open
+      end
     end
 
     def should_attempt_reset?
-      @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+      @mutex.synchronize do
+        @last_failure_time && (Time.now - @last_failure_time) >= @timeout
+      end
     end
   end
 

data/lib/hedra/cli.rb

@@ -71,7 +71,8 @@ module Hedra
 
       urls.each do |url|
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h)
+        headers = safe_headers_to_hash(response.headers)
+        result = analyzer.analyze(url, headers)
         current_results << result
       rescue StandardError => e
         warn "Failed to scan #{url}: #{e.message}"
@@ -155,6 +156,14 @@ module Hedra
       true
     end
 
+    # Override to show banner when no command is given
+    def self.start(given_args = ARGV, config = {})
+      if given_args.empty? || (given_args.length == 1 && %w[-h --help help].include?(given_args.first))
+        Banner.show unless given_args.include?('help')
+      end
+      super
+    end
+
     desc 'scan URL_OR_FILE', 'Scan one or multiple URLs for security headers'
     option :file, type: :boolean, aliases: '-f', desc: 'Treat argument as file with URLs'
     option :concurrency, type: :numeric, aliases: '-c', default: 10, desc: 'Concurrent requests'
@@ -169,6 +178,11 @@ module Hedra
     option :cache_ttl, type: :numeric, default: 3600, desc: 'Cache TTL in seconds'
     option :check_certificates, type: :boolean, default: true, desc: 'Check SSL certificates'
     option :check_security_txt, type: :boolean, default: false, desc: 'Check for security.txt'
+    option :check_sri, type: :boolean, default: false, desc: 'Check Subresource Integrity'
+    option :check_cors, type: :boolean, default: true, desc: 'Check CORS configuration'
+    option :check_protocol, type: :boolean, default: true, desc: 'Check HTTP/TLS protocol versions'
+    option :check_ct, type: :boolean, default: false, desc: 'Check Certificate Transparency'
+    option :check_dns, type: :boolean, default: false, desc: 'Check DNSSEC and CAA records'
     option :save_baseline, type: :string, desc: 'Save results as baseline'
     option :progress, type: :boolean, default: true, desc: 'Show progress bar'
     def scan(target) # rubocop:disable Metrics/AbcSize, Metrics/CyclomaticComplexity, Metrics/PerceivedComplexity
@@ -178,7 +192,12 @@ module Hedra
       client = build_http_client
       analyzer = Analyzer.new(
         check_certificates: options[:check_certificates],
-        check_security_txt: options[:check_security_txt]
+        check_security_txt: options[:check_security_txt],
+        check_sri: options[:check_sri],
+        check_cors: options[:check_cors],
+        check_protocol: options[:check_protocol],
+        check_ct: options[:check_ct],
+        check_dns: options[:check_dns]
       )
       cache = options[:cache] ? Cache.new(ttl: options[:cache_ttl]) : nil
       rate_limiter = options[:rate] ? RateLimiter.new(options[:rate]) : nil
@@ -203,7 +222,9 @@ module Hedra
               log_info("Cache hit: #{url}") if @verbose
             else
               response = client.get(url)
-              result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+              headers = safe_headers_to_hash(response.headers)
+              html_content = response.body.to_s if options[:check_sri]
+              result = analyzer.analyze(url, headers, http_client: client, response: response, html_content: html_content)
               cache&.set(url, result)
             end
 
@@ -238,17 +259,29 @@ module Hedra
     option :timeout, type: :numeric, aliases: '-t', default: 10, desc: 'Request timeout'
     option :check_certificates, type: :boolean, default: true, desc: 'Check SSL certificates'
     option :check_security_txt, type: :boolean, default: true, desc: 'Check for security.txt'
+    option :check_sri, type: :boolean, default: true, desc: 'Check Subresource Integrity'
+    option :check_cors, type: :boolean, default: true, desc: 'Check CORS configuration'
+    option :check_protocol, type: :boolean, default: true, desc: 'Check HTTP/TLS protocol versions'
+    option :check_ct, type: :boolean, default: true, desc: 'Check Certificate Transparency'
+    option :check_dns, type: :boolean, default: true, desc: 'Check DNSSEC and CAA records'
     def audit(url)
       setup_logging
       client = build_http_client
       analyzer = Analyzer.new(
         check_certificates: options[:check_certificates],
-        check_security_txt: options[:check_security_txt]
+        check_security_txt: options[:check_security_txt],
+        check_sri: options[:check_sri],
+        check_cors: options[:check_cors],
+        check_protocol: options[:check_protocol],
+        check_ct: options[:check_ct],
+        check_dns: options[:check_dns]
       )
 
       begin
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+        headers = safe_headers_to_hash(response.headers)
+        html_content = response.body.to_s if options[:check_sri]
+        result = analyzer.analyze(url, headers, http_client: client, response: response, html_content: html_content)
 
         if options[:json]
           output = JSON.pretty_generate(result)
@@ -281,7 +314,8 @@ module Hedra
       loop do
         begin
           response = client.get(url)
-          result = analyzer.analyze(url, response.headers.to_h)
+          headers = safe_headers_to_hash(response.headers)
+          result = analyzer.analyze(url, headers)
           print_result(result)
         rescue StandardError => e
           log_error("Watch check failed: #{e.message}")
@@ -303,8 +337,10 @@ module Hedra
         response1 = client.get(url1)
         response2 = client.get(url2)
 
-        result1 = analyzer.analyze(url1, response1.headers.to_h)
-        result2 = analyzer.analyze(url2, response2.headers.to_h)
+        headers1 = safe_headers_to_hash(response1.headers)
+        headers2 = safe_headers_to_hash(response2.headers)
+        result1 = analyzer.analyze(url1, headers1)
+        result2 = analyzer.analyze(url2, headers2)
 
         print_comparison(result1, result2)
       rescue StandardError => e
@@ -328,6 +364,11 @@ module Hedra
       say "Exported to #{options[:output]}", :green unless options[:quiet]
     end
 
+    desc 'version', 'Show version information'
+    def version
+      Banner.show
+    end
+
     desc 'plugin SUBCOMMAND', 'Manage plugins'
     subcommand 'plugin', Hedra::PluginCLI
 
@@ -354,7 +395,8 @@ module Hedra
 
       urls.each do |url|
         response = client.get(url)
-        result = analyzer.analyze(url, response.headers.to_h, http_client: client)
+        headers = safe_headers_to_hash(response.headers)
+        result = analyzer.analyze(url, headers, http_client: client)
         results << result
 
         if result[:score] < options[:threshold]
@@ -432,10 +474,7 @@ module Hedra
     end
 
     def valid_url?(url)
-      uri = URI.parse(url)
-      uri.is_a?(URI::HTTP) || uri.is_a?(URI::HTTPS)
-    rescue URI::InvalidURIError
-      false
+      UrlValidator.valid?(url)
     end
 
     def with_concurrency(items, concurrency)
@@ -548,6 +587,21 @@ module Hedra
       puts Pastel.new.cyan("INFO: #{message}")
     end
 
+    def safe_headers_to_hash(headers)
+      return {} if headers.nil?
+
+      # Handle different header object types
+      hash = headers.respond_to?(:to_h) ? headers.to_h : {}
+
+      # Clean up nil values
+      hash.compact.transform_values do |value|
+        value.nil? ? '' : value
+      end
+    rescue StandardError => e
+      log_error("Failed to convert headers: #{e.message}") if @debug
+      {}
+    end
+
     def severity_badge(severity)
       pastel = Pastel.new
       case severity.to_s