headerhawk 1.0.0__py3-none-any.whl

cli/main.py

@@ -0,0 +1,114 @@
+import argparse
+import sys
+from rich.console import Console
+from rich.table import Table
+from core.scanner import get_headers
+from core.analyzer import analyze
+
+console = Console()
+
+BANNER = r"""
+ _   _                _             _   _               _    
+| | | | ___  __ _  __| | ___ _ __  | | | | __ ___      | | __
+| |_| |/ _ \/ _` |/ _` |/ _ \ '__| | |_| |/ _` \ \ /\ / / |/ /
+|  _  |  __/ (_| | (_| |  __/ |    |  _  | (_| |\ V  V /|   < 
+|_| |_|\___|\__,_|\__,_|\___|_|    |_| |_|\__,_| \_/\_/ |_|\_\
+"""
+
+RISK_COLORS = {
+    "Critical": "bold red",
+    "High": "bold yellow",
+    "Medium": "bold blue"
+}
+
+def print_banner():
+    console.print(f"[cyan]{BANNER}[/cyan]")
+    console.print("[bold white]        Security Header Analyzer — by Sachin Singh[/bold white]")
+    console.print("[dim]        github.com/sachinsinsinwar/headerhawk[/dim]\n")
+
+def print_results(result, findings, score, info_disclosure, fail_on=None):
+    console.print(f"\n[bold]Target:[/bold] {result['url']}")
+    console.print(f"[bold]Status Code:[/bold] {result['status_code']}")
+
+    score_color = "green" if score >= 70 else "yellow" if score >= 40 else "red"
+    console.print(f"[bold]Security Score:[/bold] [{score_color}]{score}/100[/{score_color}]\n")
+
+    table = Table(show_header=True, header_style="bold cyan", expand=True)
+    table.add_column("Header", style="dim", width=35)
+    table.add_column("Status", width=10)
+    table.add_column("Risk", width=10)
+    table.add_column("Attack Scenario")
+
+    fail = False
+    for f in findings:
+        if f["status"] == "MISSING":
+            status = "[red]MISSING[/red]"
+            attack = f["attack"]
+            risk_style = RISK_COLORS.get(f["risk"], "white")
+            risk = f"[{risk_style}]{f['risk']}[/{risk_style}]"
+            if fail_on and f["risk"].lower() == fail_on.lower():
+                fail = True
+        else:
+            status = "[green]PRESENT[/green]"
+            attack = "[dim]—[/dim]"
+            risk_style = RISK_COLORS.get(f["risk"], "white")
+            risk = f"[{risk_style}]{f['risk']}[/{risk_style}]"
+
+        table.add_row(f["header"], status, risk, attack)
+
+    console.print(table)
+
+    if info_disclosure:
+        console.print("\n[bold red]Info Disclosure Detected:[/bold red]")
+        for item in info_disclosure:
+            console.print(f"  [yellow]{item}[/yellow]")
+
+    if fail:
+        console.print(f"\n[bold red]FAIL: Critical headers missing. Exiting with code 1.[/bold red]")
+        sys.exit(1)
+
+def main():
+    print_banner()
+
+    parser = argparse.ArgumentParser(
+        prog="headerhawk",
+        description="Security Header Analyzer — HeaderHawk"
+    )
+    parser.add_argument("--url", required=True, help="Target URL to scan")
+    parser.add_argument("--report", choices=["html"], help="Generate report (html)")
+    parser.add_argument("--fail-on", choices=["critical", "high", "medium"],
+                        help="Exit with code 1 if this risk level is found missing (for CI/CD)")
+
+    args = parser.parse_args()
+
+    console.print(f"[dim]Scanning {args.url} ...[/dim]\n")
+
+    result = get_headers(args.url)
+
+    if "error" in result:
+        console.print(f"[bold red]Error:[/bold red] {result['error']}")
+        sys.exit(1)
+
+    analysis = analyze(result["headers"])
+
+    print_results(
+        result,
+        analysis["findings"],
+        analysis["score"],
+        analysis["info_disclosure"],
+        fail_on=args.fail_on
+    )
+
+    if args.report == "html":
+        from reports.html_report import generate
+        filename = generate(
+            result["url"],
+            result["status_code"],
+            analysis["score"],
+            analysis["findings"],
+            analysis["info_disclosure"]
+        )
+        console.print(f"\n[bold green]HTML report saved:[/bold green] {filename}")
+
+if __name__ == "__main__":
+    main()

core/analyzer.py

@@ -0,0 +1,74 @@
+HEADERS_TO_CHECK = {
+    "strict-transport-security": {
+        "risk": "Critical",
+        "attack": "SSL stripping / MITM — attacker intercepts and downgrades HTTPS to HTTP"
+    },
+    "content-security-policy": {
+        "risk": "Critical",
+        "attack": "XSS — attacker injects malicious scripts, steals session cookies"
+    },
+    "access-control-allow-origin": {
+        "risk": "Critical",
+        "attack": "CORS misconfiguration — cross-origin requests steal authenticated data"
+    },
+    "x-frame-options": {
+        "risk": "High",
+        "attack": "Clickjacking — attacker embeds site in iframe, tricks user into clicking"
+    },
+    "x-content-type-options": {
+        "risk": "High",
+        "attack": "MIME sniffing — browser executes uploaded files as scripts"
+    },
+    "referrer-policy": {
+        "risk": "Medium",
+        "attack": "URL data leakage — sensitive tokens in URL leak to third parties"
+    },
+    "permissions-policy": {
+        "risk": "Medium",
+        "attack": "Feature abuse — unauthorized access to camera, mic, location"
+    },
+    "cache-control": {
+        "risk": "Medium",
+        "attack": "Sensitive data cached — auth pages found in shared/public browsers"
+    },
+    "x-xss-protection": {
+        "risk": "Medium",
+        "attack": "Reflected XSS — exploits legacy browsers without XSS filter"
+    },
+}
+
+RISK_SCORE = {"Critical": 30, "High": 15, "Medium": 5}
+
+def analyze(headers):
+    headers_lower = {k.lower(): v for k, v in headers.items()}
+    findings = []
+    score = 100
+
+    for header, info in HEADERS_TO_CHECK.items():
+        if header not in headers_lower:
+            findings.append({
+                "header": header,
+                "status": "MISSING",
+                "risk": info["risk"],
+                "attack": info["attack"]
+            })
+            score -= RISK_SCORE[info["risk"]]
+        else:
+            findings.append({
+                "header": header,
+                "status": "PRESENT",
+                "risk": info["risk"],
+                "value": headers_lower[header],
+                "attack": ""
+            })
+
+    info_disclosure = []
+    for h in ["server", "x-powered-by", "x-aspnet-version"]:
+        if h in headers_lower:
+            info_disclosure.append(f"{h}: {headers_lower[h]}")
+
+    return {
+        "findings": findings,
+        "score": max(score, 0),
+        "info_disclosure": info_disclosure
+    }

core/scanner.py

@@ -0,0 +1,30 @@
+import requests
+
+def get_headers(url):
+    if not url.startswith("http"):
+        url = "https://" + url
+
+    try:
+        response = requests.get(
+            url,
+            timeout=10,
+            allow_redirects=True,
+            headers={"User-Agent": "HeaderHawk/1.0 Security Scanner"}
+        )
+        return {
+            "url": url,
+            "status_code": response.status_code,
+            "headers": dict(response.headers)
+        }
+    except requests.exceptions.SSLError:
+        try:
+            response = requests.get(url, timeout=10, verify=False)
+            return {
+                "url": url,
+                "status_code": response.status_code,
+                "headers": dict(response.headers)
+            }
+        except Exception as e:
+            return {"url": url, "error": str(e)}
+    except Exception as e:
+        return {"url": url, "error": str(e)}

headerhawk-1.0.0.dist-info/METADATA

@@ -0,0 +1,132 @@
+Metadata-Version: 2.4
+Name: headerhawk
+Version: 1.0.0
+Summary: Security Header Analyzer — CLI tool for pentesters, DevOps and developers
+Home-page: https://github.com/sachinsinsinwar/headerhawk
+Author: Sachin Singh
+Author-email: sachinsinsinwar8@gmail.com
+Classifier: Programming Language :: Python :: 3
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Operating System :: OS Independent
+Classifier: Topic :: Security
+Requires-Python: >=3.8
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests
+Requires-Dist: rich
+Dynamic: author
+Dynamic: author-email
+Dynamic: classifier
+Dynamic: description
+Dynamic: description-content-type
+Dynamic: home-page
+Dynamic: license-file
+Dynamic: requires-dist
+Dynamic: requires-python
+Dynamic: summary
+
+# 🦅 HeaderHawk
+
+> Security Header Analyzer — Built for Pentesters, DevOps, and Developers
+
+![Python](https://img.shields.io/badge/Python-3.8+-blue)
+![License](https://img.shields.io/badge/License-MIT-green)
+![Platform](https://img.shields.io/badge/Platform-Kali%20Linux-red)
+
+HeaderHawk scans any website for missing HTTP security headers, assigns risk scores, explains real attack scenarios, and generates shareable HTML reports.
+
+---
+
+## Features
+
+- Checks 9 critical security headers
+- Risk scoring — Critical / High / Medium
+- Shows real attack scenario for each missing header
+- Detects server info disclosure (version leakage)
+- Generates HTML report
+- CI/CD ready — fail builds on missing critical headers
+- Works on Kali Linux, Ubuntu, macOS
+
+---
+
+## Installation
+
+\`\`\`bash
+git clone https://github.com/sachinsinsinwar/headerhawk.git
+cd headerhawk
+pip install -r requirements.txt
+\`\`\`
+
+---
+
+## Usage
+
+\`\`\`bash
+# Basic scan
+python -m cli.main --url https://target.com
+
+# Generate HTML report
+python -m cli.main --url https://target.com --report html
+
+# CI/CD — exit code 1 if critical headers missing
+python -m cli.main --url https://target.com --fail-on critical
+
+# Help
+python -m cli.main -h
+\`\`\`
+
+---
+
+## Example Output
+
+\`\`\`
+Target: https://example.com
+Status Code: 200
+Security Score: 30/100
+
+Header                        Status    Risk      Attack Scenario
+strict-transport-security     PRESENT   Critical  —
+content-security-policy       MISSING   Critical  XSS — attacker injects malicious scripts
+x-frame-options               MISSING   High      Clickjacking — attacker embeds site in iframe
+\`\`\`
+
+---
+
+## Headers Checked
+
+| Header | Risk | Attack if Missing |
+|---|---|---|
+| Strict-Transport-Security | Critical | SSL stripping / MITM |
+| Content-Security-Policy | Critical | XSS attacks |
+| Access-Control-Allow-Origin | Critical | CORS misconfiguration |
+| X-Frame-Options | High | Clickjacking |
+| X-Content-Type-Options | High | MIME sniffing |
+| Referrer-Policy | Medium | URL data leakage |
+| Permissions-Policy | Medium | Feature abuse |
+| Cache-Control | Medium | Sensitive data cached |
+| X-XSS-Protection | Medium | Reflected XSS |
+
+---
+
+## Who Is This For
+
+**Pentester / Attacker** — Recon phase. Find missing headers on target, understand what attacks are possible.
+
+**Security Engineer** — Scan UAT before formal VAPT. Fix issues before the auditor finds them.
+
+**DevOps** — Add to GitHub Actions pipeline. Block deployments if critical headers are missing.
+
+**Developer** — Compare staging vs production. Catch header mismatches before release.
+
+---
+
+## Created By
+
+**Sachin Singh** — DevSecOps Engineer  
+[LinkedIn](https://linkedin.com/in/sachin-sinsinwar) | [GitHub](https://github.com/sachinsinsinwar)
+
+---
+
+## License
+
+MIT

headerhawk-1.0.0.dist-info/RECORD

@@ -0,0 +1,13 @@
+cli/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+cli/main.py,sha256=Pgii1sFSjwCQwerdjuISCBZYdGb32wbLlL1U4lDkxPs,3861
+core/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+core/analyzer.py,sha256=UQ3hdvhoRT14fKFJ38Z4TR1hFcvhKFa8J-zlT9jP_e4,2436
+core/scanner.py,sha256=tm55spCtT3_nPB7p44_f6O5bBKsCCH65KzeTELJFiz8,888
+headerhawk-1.0.0.dist-info/licenses/LICENSE,sha256=RTjaMY6agKhubZhwFNAGCTpHi0URXcZ-BY2JdxeFXL4,1069
+reports/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+reports/html_report.py,sha256=g7mxYvHID4_AbHylLR3yPMj8n5lro-O0af4tlirruks,3185
+headerhawk-1.0.0.dist-info/METADATA,sha256=AFuUZR5gwi_KILm6kesdeuScm-qJRRHUcS7By70UzFU,3584
+headerhawk-1.0.0.dist-info/WHEEL,sha256=aeYiig01lYGDzBgS8HxWXOg3uV61G9ijOsup-k9o1sk,91
+headerhawk-1.0.0.dist-info/entry_points.txt,sha256=8846y2EhFi6FknOucVYJTiOsprOmlTCmm6RRcfFlHEI,45
+headerhawk-1.0.0.dist-info/top_level.txt,sha256=gWIaEdhcLuYg-bcox8iKbPZ-fw1zwGXyRWJxWk2wP_w,17
+headerhawk-1.0.0.dist-info/RECORD,,

headerhawk-1.0.0.dist-info/WHEEL

@@ -0,0 +1,5 @@
+Wheel-Version: 1.0
+Generator: setuptools (82.0.1)
+Root-Is-Purelib: true
+Tag: py3-none-any
+

headerhawk-1.0.0.dist-info/entry_points.txt

@@ -0,0 +1,2 @@
+[console_scripts]
+headerhawk = cli.main:main

headerhawk-1.0.0.dist-info/licenses/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Sachin Singh
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

headerhawk-1.0.0.dist-info/top_level.txt

@@ -0,0 +1,3 @@
+cli
+core
+reports

reports/html_report.py

@@ -0,0 +1,81 @@
+from datetime import datetime
+
+RISK_COLORS = {
+    "Critical": "#ff4444",
+    "High": "#ff9900",
+    "Medium": "#3399ff"
+}
+
+def generate(url, status_code, score, findings, info_disclosure):
+    now = datetime.now().strftime("%Y-%m-%d %H:%M:%S")
+    score_color = "#44ff88" if score >= 70 else "#ff9900" if score >= 40 else "#ff4444"
+
+    rows = ""
+    for f in findings:
+        status_color = "#44ff88" if f["status"] == "PRESENT" else "#ff4444"
+        risk_color = RISK_COLORS.get(f["risk"], "#ffffff")
+        attack = f["attack"] if f["attack"] else "—"
+        rows += f"""
+        <tr>
+            <td>{f['header']}</td>
+            <td style="color:{status_color};font-weight:bold">{f['status']}</td>
+            <td style="color:{risk_color};font-weight:bold">{f['risk']}</td>
+            <td>{attack}</td>
+        </tr>"""
+
+    disclosure_html = ""
+    if info_disclosure:
+        items = "".join(f"<li>{i}</li>" for i in info_disclosure)
+        disclosure_html = f"""
+        <div class="disclosure">
+            <h3>⚠ Info Disclosure Detected</h3>
+            <ul>{items}</ul>
+        </div>"""
+
+    html = f"""<!DOCTYPE html>
+<html lang="en">
+<head>
+<meta charset="UTF-8">
+<title>HeaderHawk Report — {url}</title>
+<style>
+  body {{ font-family: 'Segoe UI', sans-serif; background: #0d1117; color: #e6edf3; margin: 0; padding: 2rem; }}
+  h1 {{ color: #58a6ff; font-size: 1.8rem; margin-bottom: 0.2rem; }}
+  .meta {{ color: #8b949e; font-size: 13px; margin-bottom: 2rem; }}
+  .score {{ font-size: 3rem; font-weight: bold; color: {score_color}; }}
+  .score-label {{ color: #8b949e; font-size: 13px; margin-bottom: 2rem; }}
+  table {{ width: 100%; border-collapse: collapse; margin-top: 1rem; }}
+  th {{ background: #161b22; color: #58a6ff; padding: 10px 14px; text-align: left; font-size: 12px; text-transform: uppercase; letter-spacing: 0.05em; }}
+  td {{ padding: 10px 14px; border-bottom: 1px solid #21262d; font-size: 13px; vertical-align: top; }}
+  tr:hover {{ background: #161b22; }}
+  .disclosure {{ background: #3d1a1a; border: 1px solid #5a2020; border-radius: 8px; padding: 1rem 1.5rem; margin-top: 2rem; }}
+  .disclosure h3 {{ color: #ff7b72; margin-bottom: 8px; }}
+  .disclosure ul {{ color: #e3b341; padding-left: 1.2rem; font-size: 13px; line-height: 1.8; }}
+  .footer {{ margin-top: 3rem; color: #6e7681; font-size: 12px; border-top: 1px solid #21262d; padding-top: 1rem; }}
+</style>
+</head>
+<body>
+<h1>🦅 HeaderHawk — Security Report</h1>
+<div class="meta">Target: <strong>{url}</strong> &nbsp;|&nbsp; Status: {status_code} &nbsp;|&nbsp; Scanned: {now}</div>
+<div class="score">{score}/100</div>
+<div class="score-label">Security Score</div>
+<table>
+  <thead>
+    <tr>
+      <th>Header</th>
+      <th>Status</th>
+      <th>Risk</th>
+      <th>Attack Scenario</th>
+    </tr>
+  </thead>
+  <tbody>{rows}</tbody>
+</table>
+{disclosure_html}
+<div class="footer">Generated by HeaderHawk — Created by Sachin Singh &nbsp;|&nbsp; github.com/sachinsinsinwar/headerhawk</div>
+</body>
+</html>"""
+
+    filename = f"headerhawk_report_{datetime.now().strftime('%Y%m%d_%H%M%S')}.html"
+    with open(filename, "w") as f:
+        f.write(html)
+
+    return filename