@soulofzephir/pi-skill-pentesting 1.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,399 @@
1
+ ---
2
+ name: pentesting
3
+ description: Comprehensive website security testing skill for penetration testing, vulnerability assessment, security headers analysis, port scanning, SQL injection, XSS testing, OWASP Top 10, and SSL/TLS audit. Use when user asks for pentest, security check, security audit, vulnerability scan, header security, port scan, SQL injection, XSS, OWASP, ethical hacking, or bug bounty testing. Generates reports to site/domainname-date.md format.
4
+ ---
5
+
6
+ # 🛡️ Pentesting & Security Check Skill
7
+
8
+ > **AUTHOR:** Rz | **VERSION:** 2.0 | **LAST UPDATED:** 2025-07-05
9
+
10
+ ---
11
+
12
+ ## 📋 CAPABILITIES OVERVIEW
13
+
14
+ This skill provides **COMPREHENSIVE PENTESTING** capabilities:
15
+
16
+ | Category | Coverage | Automated |
17
+ |----------|----------|-----------|
18
+ | **Security Headers** | 9 critical headers | ✅ Script |
19
+ | **Port Scanning** | 20+ common ports | ✅ Nmap/Script |
20
+ | **SQL Injection** | Union, Blind, Time-based | ✅ SQLMap + Manual |
21
+ | **XSS Testing** | Reflected, Stored, DOM | ✅ Payloads + Tools |
22
+ | **Command Injection** | Linux & Windows | ✅ Commix + Manual |
23
+ | **XXE Testing** | Basic, Blind, DoS | ✅ Manual |
24
+ | **OWASP Top 10** | A01-A10 complete | ✅ Checklist |
25
+ | **SSL/TLS Audit** | Certificate & Ciphers | ✅ testssl.sh |
26
+ | **Report Generation** | .md format | ✅ Auto |
27
+
28
+ ---
29
+
30
+ ## 🔔 AUTO-LOAD TRIGGERS
31
+
32
+ This skill auto-loads when user mentions:
33
+ - pentest, pentesting, penetration test
34
+ - security check, security audit, security scan
35
+ - vulnerability scan, vulnerability assessment
36
+ - ethical hacking, bug bounty
37
+ - header security, security headers, CSP, HSTS
38
+ - port scan, open ports, network scan
39
+ - SQL injection, SQLi, XSS, command injection
40
+ - OWASP, OWASP Top 10
41
+ - "test keamanan", "cek security", "audit keamanan"
42
+
43
+ ---
44
+
45
+ ## ⚡ COMPLETE TEST CHECKLIST
46
+
47
+ For a **comprehensive security assessment**, run these tests in order:
48
+
49
+ ### Phase 1: Reconnaissance (Information Gathering)
50
+ ```
51
+ [ ] Domain enumeration (subdomains, WHOIS)
52
+ [ ] Technology fingerprinting (CMS, framework, libraries)
53
+ [ ] Directory enumeration (/admin, /api, /backup)
54
+ [ ] Parameter discovery
55
+ [ ] Social media / leak analysis
56
+ ```
57
+
58
+ ### Phase 2: Security Headers Analysis
59
+ ```
60
+ [ ] Content-Security-Policy (CSP)
61
+ [ ] Strict-Transport-Security (HSTS)
62
+ [ ] X-Content-Type-Options
63
+ [ ] X-Frame-Options
64
+ [ ] Referrer-Policy
65
+ [ ] Permissions-Policy
66
+ [ ] Cache-Control
67
+ [ ] Server header (version hiding)
68
+ [ ] X-Powered-By (tech hiding)
69
+ [ ] Cross-Origin policies (COOP, CORP, COEP)
70
+ ```
71
+
72
+ ### Phase 3: Port & Network Scanning
73
+ ```
74
+ [ ] Full port scan (1-65535)
75
+ [ ] Service version detection
76
+ [ ] High-risk port exposure check:
77
+ [ ] Port 22 (SSH) - brute force, key-only?
78
+ [ ] Port 3306 (MySQL) - remote access?
79
+ [ ] Port 5432 (PostgreSQL) - remote access?
80
+ [ ] Port 27017 (MongoDB) - no-auth?
81
+ [ ] Port 6379 (Redis) - no-auth?
82
+ [ ] Port 11211 (Memcached) - DDoS risk?
83
+ [ ] Port 2375 (Docker) - NEVER expose!
84
+ [ ] Port 9200 (Elasticsearch) - data exposure?
85
+ ```
86
+
87
+ ### Phase 4: SSL/TLS Audit
88
+ ```
89
+ [ ] Certificate validity (not expired, trusted CA)
90
+ [ ] TLS version (no SSLv3, TLS 1.0, TLS 1.1)
91
+ [ ] Weak ciphers disabled?
92
+ [ ] HSTS implementation
93
+ [ ] Certificate chain complete?
94
+ [ ] Self-signed cert check
95
+ [ ] OCSP stapling enabled?
96
+ ```
97
+
98
+ ### Phase 5: Authentication Testing
99
+ ```
100
+ [ ] Login page brute force protection
101
+ [ ] Password policy enforcement
102
+ [ ] MFA availability
103
+ [ ] Session management:
104
+ [ ] Session ID randomness
105
+ [ ] Session timeout
106
+ [ ] HttpOnly cookies
107
+ [ ] Secure cookies
108
+ [ ] SameSite attribute
109
+ [ ] Password reset flow:
110
+ [ ] Token randomness
111
+ [ ] Token expiration
112
+ [ ] Email enumeration
113
+ [ ] Account lockout policy
114
+ [ ] CAPTCHA implementation
115
+ ```
116
+
117
+ ### Phase 6: Injection Testing
118
+ ```
119
+ [ ] SQL Injection:
120
+ [ ] UNION-based
121
+ [ ] Boolean-based blind
122
+ [ ] Time-based blind
123
+ [ ] Error-based
124
+ [ ] Stacked queries
125
+ [ ] XSS (Cross-Site Scripting):
126
+ [ ] Reflected XSS
127
+ [ ] Stored/Persistent XSS
128
+ [ ] DOM-based XSS
129
+ [ ] Polyglot XSS
130
+ [ ] Command Injection:
131
+ [ ] Linux commands
132
+ [ ] Windows commands
133
+ [ ] XXE (XML External Entity)
134
+ [ ] LDAP Injection
135
+ [ ] XPath Injection
136
+ [ ] SSTI (Server-Side Template Injection)
137
+ [ ] SSTRF (Server-Side Request Forgery)
138
+ [ ] Expression Language Injection
139
+ ```
140
+
141
+ ### Phase 7: Business Logic Testing
142
+ ```
143
+ [ ] IDOR (Insecure Direct Object Reference)
144
+ [ ] Horizontal privilege escalation
145
+ [ ] Vertical privilege escalation
146
+ [ ] Price/total manipulation
147
+ [ ] Quantity manipulation
148
+ [ ] Coupon/promotion abuse
149
+ [ ] Race condition (concurrency)
150
+ [ ] Workflow bypass
151
+ [ ] Mass assignment
152
+ ```
153
+
154
+ ### Phase 8: API Security
155
+ ```
156
+ [ ] REST API testing:
157
+ [ ] Authorization bypass
158
+ [ ] Rate limiting
159
+ [ ] Input validation
160
+ [ ] CORS misconfiguration
161
+ [ ] GraphQL testing:
162
+ [ ] Introspection enabled?
163
+ [ ] Query complexity
164
+ [ ] Depth limiting
165
+ [ ] JWT testing:
166
+ [ ] Algorithm confusion
167
+ [ ] Weak secret
168
+ [ ] Token expiration
169
+ [ ] None algorithm
170
+ [ ] API versioning issues
171
+ ```
172
+
173
+ ### Phase 9: OWASP Top 10
174
+ ```
175
+ [ ] A01 - Broken Access Control
176
+ [ ] Vertical privilege escalation
177
+ [ ] Horizontal privilege escalation
178
+ [ ] IDOR
179
+ [ ] CORS misconfiguration
180
+ [ ] A02 - Cryptographic Failures
181
+ [ ] Sensitive data exposure
182
+ [ ] Weak encryption
183
+ [ ] Default crypto
184
+ [ ] Insecure key management
185
+ [ ] A03 - Injection
186
+ [ ] SQL Injection
187
+ [ ] XSS
188
+ [ ] Command Injection
189
+ [ ] LDAP/XXE/XPath
190
+ [ ] A04 - Insecure Design
191
+ [ ] Missing rate limiting
192
+ [ ] Business logic flaws
193
+ [ ] Credential stuffing protection
194
+ [ ] A05 - Security Misconfiguration
195
+ [ ] Default credentials
196
+ [ ] Debug mode
197
+ [ ] Directory listing
198
+ [ ] Unnecessary features
199
+ [ ] Error handling
200
+ [ ] A06 - Vulnerable Components
201
+ [ ] Outdated libraries
202
+ [ ] Known CVEs
203
+ [ ] Unmaintained dependencies
204
+ [ ] A07 - Identification & Auth Failures
205
+ [ ] Weak passwords
206
+ [ ] Session management
207
+ [ ] Credential exposure
208
+ [ ] A08 - Software & Data Integrity
209
+ [ ] Insecure deserialization
210
+ [ ] CI/CD issues
211
+ [ ] Auto-update integrity
212
+ [ ] A09 - Logging & Monitoring
213
+ [ ] No audit logging
214
+ [ ] Failed login tracking
215
+ [ ] Alert fatigue
216
+ [ ] A10 - SSRF
217
+ [ ] URL validation bypass
218
+ [ ] Internal network access
219
+ [ ] Cloud metadata access
220
+ ```
221
+
222
+ ### Phase 10: Client-Side Testing
223
+ ```
224
+ [ ] CORS misconfiguration
225
+ [ ] WebSocket testing
226
+ [ ] WebRTC leakage
227
+ [ ] Service Worker security
228
+ [ ] Browser storage (localStorage, sessionStorage)
229
+ [ ] Cookies security attributes
230
+ [ ] JWT in localStorage vs HttpOnly cookie
231
+ ```
232
+
233
+ ---
234
+
235
+ ## ⚡ WORKFLOW (Follow in Order)
236
+
237
+ ### Step 1: Confirm Scope
238
+ ```
239
+ 1. Target URL/IP: [user input]
240
+ 2. Testing type: [Full / Targeted]
241
+ 3. Authorization: [User owns this / Has permission]
242
+ ```
243
+
244
+ ### Step 2: Run Tests (follow Complete Test Checklist above)
245
+
246
+ ### Step 3: Generate Report
247
+
248
+ **IMPORTANT:** Always save report to:
249
+ ```
250
+ site/[domain]-[YYYY-MM-DD].md
251
+ ```
252
+
253
+ Example:
254
+ ```
255
+ site/example.com-2025-07-05.md
256
+ site/api.target.com-2025-07-05.md
257
+ site/subdomain.target.com-2025-07-05.md
258
+ ```
259
+
260
+ ---
261
+
262
+ ## 🔧 TOOLS & SCRIPTS
263
+
264
+ Scripts available in `tools/`:
265
+ ```
266
+ tools/
267
+ ├── header-scan.sh # Linux/Mac headers
268
+ ├── header-scan.ps1 # Windows headers
269
+ └── security-scan.ps1 # Windows ALL-IN-ONE
270
+ ```
271
+
272
+ Checklists available in `checklists/`:
273
+ ```
274
+ checklists/
275
+ ├── headers.md # 9 headers detail
276
+ ├── owasp.md # OWASP Top 10
277
+ ├── ports.md # Port scanning
278
+ └── injection.md # All injection types
279
+ ```
280
+
281
+ ---
282
+
283
+ ## 🚀 QUICK COMMANDS
284
+
285
+ ### Security Headers
286
+ ```bash
287
+ # Linux/Mac
288
+ chmod +x tools/header-scan.sh
289
+ ./tools/header-scan.sh https://target.com
290
+
291
+ # Windows PowerShell
292
+ .\tools\header-scan.ps1 -Target https://target.com
293
+ ```
294
+
295
+ ### Port Scanning
296
+ ```bash
297
+ # Nmap quick
298
+ nmap -sV -p 21,22,80,443,3306,5432,8080 target.com
299
+
300
+ # Full scan
301
+ nmap -p- -sV target.com
302
+
303
+ # Nmap with scripts
304
+ nmap -sC -sV -p- target.com
305
+ ```
306
+
307
+ ### Vulnerability Scanning
308
+ ```bash
309
+ # Nuclei
310
+ nuclei -u https://target.com
311
+
312
+ # SQLMap
313
+ sqlmap -u "https://target.com/search?q=1" --batch
314
+
315
+ # Dalfox XSS
316
+ dalfox url https://target.com/search?q=test
317
+
318
+ # Commix
319
+ commix -u "http://target.com/ping?ip=127.0.0.1"
320
+ ```
321
+
322
+ ### Full Scan
323
+ ```powershell
324
+ # Windows - All in one
325
+ .\tools\security-scan.ps1 -Target https://target.com
326
+ ```
327
+
328
+ ---
329
+
330
+ ## 📊 OUTPUT FORMAT
331
+
332
+ ### Header Score (0-100)
333
+ ```
334
+ A (90-100): Excellent
335
+ B (70-89): Good
336
+ C (50-69): Needs Improvement
337
+ D (30-49): Poor
338
+ F (0-29): Critical
339
+ ```
340
+
341
+ ### Vulnerability Severity
342
+ ```
343
+ 🔴 CRITICAL → Fix immediately
344
+ 🟠 HIGH → Fix within 1 week
345
+ 🟡 MEDIUM → Fix within 1 month
346
+ 🟢 LOW/INFO → Fix when possible
347
+ ```
348
+
349
+ ### Report File
350
+ **Format:** `site/[domain]-[YYYY-MM-DD].md`
351
+
352
+ ---
353
+
354
+ ## ⚠️ IMPORTANT REMINDERS
355
+
356
+ 1. **ONLY test targets you own or have written permission for**
357
+ 2. **Document all findings with evidence**
358
+ 3. **Use responsible disclosure for bugs found**
359
+ 4. **Respect rate limits to avoid DoS**
360
+ 5. **Always save reports to site/[domain]-[date].md**
361
+
362
+ ---
363
+
364
+ ## 🆘 HELP COMMANDS
365
+
366
+ If user asks:
367
+ - "apa bisa ini?" → Show CAPABILITIES OVERVIEW
368
+ - "cara pakai" → Show QUICK COMMANDS
369
+ - "test sekarang" → Start the test workflow
370
+ - "check [target]" → Start security scan + save to site/[domain]-[date].md
371
+ - "scan headers" → Run header scan
372
+ - "test SQL injection" → Load SQLi payloads
373
+ - "complete checklist" → Show COMPLETE TEST CHECKLIST
374
+
375
+ ---
376
+
377
+ ## 📝 EXAMPLES OF TRIGGER PHRASES
378
+
379
+ ```
380
+ User: "pentest untuk website ini: example.com"
381
+ → Load SKILL → Start full pentest workflow → Generate site/example.com-2025-07-05.md
382
+
383
+ User: "security audit untuk target.com"
384
+ → Load SKILL → Run all tests → Generate site/target.com-2025-07-05.md
385
+
386
+ User: "OWASP check untuk API"
387
+ → Load SKILL → Run OWASP Top 10 checklist
388
+
389
+ User: "scan subdomain ini: api.target.com"
390
+ → Load SKILL → Run all tests → Generate site/api.target.com-2025-07-05.md
391
+ ```
392
+
393
+ ---
394
+
395
+ ## ✅ SKILL READY
396
+
397
+ **Status:** ACTIVE & READY FOR USE
398
+ **Version:** 2.0
399
+ **Author:** Rz (@soulofzephir)
@@ -0,0 +1,286 @@
1
+ # Security Headers Checklist
2
+
3
+ ## 🔒 Critical Security Headers
4
+
5
+ ### 1. Content-Security-Policy (CSP)
6
+
7
+ **Purpose:** Prevent XSS, clickjacking, data injection
8
+
9
+ **Good Example:**
10
+ ```
11
+ Content-Security-Policy:
12
+ default-src 'self';
13
+ script-src 'self' 'nonce-random123';
14
+ style-src 'self' https://fonts.googleapis.com;
15
+ img-src 'self' data: https:;
16
+ font-src 'self' https://fonts.gstatic.com;
17
+ connect-src 'self';
18
+ frame-ancestors 'none';
19
+ base-uri 'self';
20
+ form-action 'self'
21
+ ```
22
+
23
+ **What to Check:**
24
+ - [ ] `default-src 'self'` or restrictive source
25
+ - [ ] No `unsafe-inline` in script-src (XSS risk!)
26
+ - [ ] No `unsafe-eval` in script-src
27
+ - [ ] `frame-ancestors 'none'` or `'self'`
28
+ - [ ] `base-uri` restricted
29
+ - [ ] `form-action` limited
30
+
31
+ **Red Flags:**
32
+ ```diff
33
+ - script-src 'unsafe-inline' 'unsafe-eval'
34
+ - default-src *
35
+ - style-src *
36
+ ```
37
+
38
+ ---
39
+
40
+ ### 2. Strict-Transport-Security (HSTS)
41
+
42
+ **Purpose:** Force HTTPS, prevent protocol downgrade
43
+
44
+ **Good Example:**
45
+ ```
46
+ Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
47
+ ```
48
+
49
+ **What to Check:**
50
+ - [ ] `max-age` minimum 31536000 (1 year)
51
+ - [ ] `includeSubDomains` present
52
+ - [ ] `preload` for maximum protection
53
+
54
+ **Red Flags:**
55
+ ```diff
56
+ - max-age=0
57
+ - Missing header entirely
58
+ ```
59
+
60
+ ---
61
+
62
+ ### 3. X-Content-Type-Options
63
+
64
+ **Purpose:** Prevent MIME sniffing
65
+
66
+ **Good:**
67
+ ```
68
+ X-Content-Type-Options: nosniff
69
+ ```
70
+
71
+ **Check:**
72
+ - [ ] Must be exactly "nosniff"
73
+ - [ ] Should not be missing
74
+
75
+ ---
76
+
77
+ ### 4. X-Frame-Options
78
+
79
+ **Purpose:** Prevent clickjacking
80
+
81
+ **Good:**
82
+ ```
83
+ X-Frame-Options: DENY
84
+ # or
85
+ X-Frame-Options: SAMEORIGIN
86
+ ```
87
+
88
+ **What to Check:**
89
+ - [ ] Not set to ALLOWALL (dangerous!)
90
+ - [ ] Missing = vulnerable
91
+
92
+ **Red Flags:**
93
+ ```diff
94
+ - X-Frame-Options: ALLOWALL
95
+ ```
96
+
97
+ ---
98
+
99
+ ### 5. X-XSS-Protection
100
+
101
+ **Purpose:** Legacy browser XSS filter (deprecated but still useful)
102
+
103
+ **Good:**
104
+ ```
105
+ X-XSS-Protection: 1; mode=block
106
+ ```
107
+
108
+ **What to Check:**
109
+ - [ ] Set to `1; mode=block` not just `0` (disabled)
110
+
111
+ ---
112
+
113
+ ### 6. Referrer-Policy
114
+
115
+ **Purpose:** Control referrer information leakage
116
+
117
+ **Good:**
118
+ ```
119
+ Referrer-Policy: strict-origin-when-cross-origin
120
+ # or stricter:
121
+ Referrer-Policy: no-referrer
122
+ ```
123
+
124
+ **What to Check:**
125
+ - [ ] Not `no-referrer-when-downgrade` (leaks HTTPS→HTTP)
126
+ - [ ] Not `unsafe-url` (leaks everything!)
127
+
128
+ **Ranking (best to worst):**
129
+ 1. `no-referrer`
130
+ 2. `strict-origin-when-cross-origin`
131
+ 3. `same-origin`
132
+ 4. `origin`
133
+ 5. `strict-origin`
134
+ 6. `no-referrer-when-downgrade` ⚠️
135
+ 7. `origin-when-cross-origin`
136
+ 8. `unsafe-url` ❌
137
+
138
+ ---
139
+
140
+ ### 7. Permissions-Policy (formerly Feature-Policy)
141
+
142
+ **Purpose:** Disable dangerous browser features
143
+
144
+ **Good:**
145
+ ```
146
+ Permissions-Policy:
147
+ geolocation=(),
148
+ microphone=(),
149
+ camera=(),
150
+ payment=(self)
151
+ ```
152
+
153
+ **What to Check:**
154
+ - [ ] Camera/microphone disabled if not needed
155
+ - [ ] Geolocation restricted
156
+ - [ ] USB not exposed
157
+ - [ ] No autoplay audio
158
+
159
+ ---
160
+
161
+ ### 8. Cache-Control
162
+
163
+ **Purpose:** Prevent sensitive data caching
164
+
165
+ **For sensitive pages:**
166
+ ```
167
+ Cache-Control: no-store, no-cache, must-revalidate, private
168
+ Pragma: no-cache
169
+ ```
170
+
171
+ **Check:**
172
+ - [ ] Login pages = no-store
173
+ - [ ] User data pages = no-store
174
+ - [ ] API responses with PII = no-store
175
+
176
+ ---
177
+
178
+ ### 9. Cross-Origin Policies
179
+
180
+ ```
181
+ Cross-Origin-Opener-Policy: same-origin
182
+ Cross-Origin-Resource-Policy: same-origin
183
+ Cross-Origin-Embedder-Policy: require-corp
184
+ ```
185
+
186
+ ---
187
+
188
+ ## ⚠️ Information Leakage Headers (Should NOT expose)
189
+
190
+ ### Server Information
191
+
192
+ **Bad (reveals version):**
193
+ ```
194
+ Server: Apache/2.4.41 (Ubuntu) OpenSSL/1.1.1f
195
+ X-Powered-By: PHP/7.4.3
196
+ X-AspNet-Version: 4.0.30319
197
+ ```
198
+
199
+ **Good:**
200
+ ```
201
+ Server: nginx
202
+ # or
203
+ Server: Apache
204
+ ```
205
+
206
+ **Check:**
207
+ - [ ] Server header generic (no version)
208
+ - [ ] X-Powered-By removed or hidden
209
+ - [ ] X-AspNet-Version removed
210
+
211
+ ---
212
+
213
+ ## 📊 Header Security Score Calculation
214
+
215
+ | Header | Points |
216
+ |--------|--------|
217
+ | CSP (strict) | 20 |
218
+ | HSTS (max-age ≥ 31536000) | 15 |
219
+ | X-Content-Type-Options | 10 |
220
+ | X-Frame-Options | 10 |
221
+ | Referrer-Policy (strict) | 10 |
222
+ | Permissions-Policy | 10 |
223
+ | Cache-Control (sensitive pages) | 10 |
224
+ | No info leakage (Server, X-Powered-By) | 15 |
225
+
226
+ **Score:**
227
+ - 90-100: A (Excellent)
228
+ - 70-89: B (Good)
229
+ - 50-69: C (Needs improvement)
230
+ - 30-49: D (Poor)
231
+ - 0-29: F (Critical issues)
232
+
233
+ ---
234
+
235
+ ## 🔧 Quick Test Commands
236
+
237
+ ```bash
238
+ # Check all headers
239
+ curl -I -s https://target.com
240
+
241
+ # Specific header check
242
+ curl -sD - https://target.com | grep -iE "csp|hsts|x-frame|x-content|server"
243
+
244
+ # Full verbose
245
+ curl -v -s https://target.com 2>&1 | grep -iE "^< |server|x-powered"
246
+
247
+ # Check CSP with report-uri
248
+ curl -s https://target.com -I | grep -i content-security
249
+
250
+ # Test missing headers script
251
+ #!/bin/bash
252
+ TARGET=$1
253
+ echo "Checking headers for: $TARGET"
254
+ curl -I -s $TARGET | awk '/^HTTP/ {print "\n["$0"]"}
255
+ /[Ss]erver/ {print "⚠️ "$0}
256
+ /[Xx]-[Pp]owered/ {print "⚠️ "$0}
257
+ /[Ss]trict-[Tt]ransport/ {print "✅ "$0}
258
+ /[Xx]-[Cc]ontent-[Tt]ype/ {print "✅ "$0}
259
+ /[Xx]-[Ff]rame/ {print "✅ "$0}
260
+ /[Cc]ontent-[Ss]ecurity/ {print "✅ "$0}
261
+ /[Rr]eferrer/ {print "✅ "$0}
262
+ '
263
+ ```
264
+
265
+ ---
266
+
267
+ ## 📋 Header Remediation Quick Reference
268
+
269
+ | Header | Apache (.htaccess) | Nginx |
270
+ |--------|-------------------|-------|
271
+ | CSP | Header set Content-Security-Policy "..." | add_header Content-Security-Policy "..."; |
272
+ | HSTS | Header always set Strict-Transport-Security "max-age=..." | add_header Strict-Transport-Security "max-age=..."; |
273
+ | X-Frame | Header set X-Frame-Options "DENY" | add_header X-Frame-Options "DENY"; |
274
+ | X-Content-Type | Header set X-Content-Type-Options "nosniff" | add_header X-Content-Type-Options "nosniff"; |
275
+ | Remove Server | Header unset Server | server_tokens off; |
276
+ | Remove X-Powered-By | Header unset X-Powered-By | fastcgi_hide_header X-Powered-By; |
277
+
278
+ ---
279
+
280
+ ## 🛡️ Tools for Header Analysis
281
+
282
+ 1. **securityheaders.com** - Online scanner with grade
283
+ 2. **observatory.mozilla.org** - Mozilla's header analyzer
284
+ 3. **csp-evaluator.google** - CSP specifically
285
+ 4. **ssllabs.com** - SSL/TLS + some headers
286
+ 5. **curl** - Manual check