Skip to content

humble.py

Welcome to humble.py documentation!.

What is humble.py?

It is a humble, and fast, security-oriented HTTP response headers analyzer.

It is the result of many weekends, in my spare time (for six years, and hopefully for many more), dedicated to questioning, studying, researching, and programming on standards, exploits, regulations, and vulnerabilities; learning and reading countless articles related to HTTP response headers and their security.

It started as a small personal project, with no intention of becoming important. Over time, it was accepted into Kali Linux, has been referenced in blogs and social media and has been used as a basis and reference for final degree projects.

Requires Python 3.11 or higher along with a few dependencies and testssl.sh (if you want to analyze obsolete SSL/TLS protocols and vulnerabilities of a URL).

What does it offer?

In my experience, HTTP response headers are consistently overlooked in security audits. Yet after several years in cybersecurity, I've seen firsthand how proper header configuration can prevent serious vulnerabilities and avoid problems before they escalate.

humble.py delivers quick, honest security analysis of HTTP response headers, identifying configuration deficiencies while providing actionable technical references and best practices.

You have nothing to lose by trying it; are you up for it? :).

And, if I may, a word of advice: use the information provided by this tool wisely. I believe there is far more merit in helping others, learning and teaching than in attacking, harming or taking advantage. Please, do not just be a Script kiddie: if this really interests you learn, research and become a Security Analyst!.

Who Made It?

Rafa 'Bluesman' Faura Cucalón; you can read about me on LinkedIn.

Features

  • Covers 62 enabled security-related HTTP response headers.
  • 15 checks for missing security-related HTTP response headers.
  • 1286 checks for fingerprinting through HTTP response headers.
  • 158 checks for deprecated HTTP response headers/protocols or with insecure/wrong values.
  • 28 checks related to Content Security Policy Level 3.
  • Can check for compliance with the OWASP Secure Headers Project Best Practices.
  • Can exclude specific HTTP response headers from the analysis.
  • Can analyze raw response files: text files with HTTP response headers and values.
  • Can export each analysis to CSV, CSS3 & HTML5, JSON, PDF, TXT, XLSX (Excel 2007 onwards) and XML; and in a filename and path of your choice.
  • Can check for outdated SSL/TLS protocols and vulnerabilities: requires testssl.sh.
  • Can provide brief and detailed analysis along with HTTP response headers.
  • Can use proxies for the analysis.
  • Allows specifying custom HTTP request headers.
  • Can output only analysis summary, totals and grade as JSON; suitable for CI/CD.
  • Print browser support for enabled HTTP security headers, with data from Can I use.
  • Highlights experimental headers in each analysis.
  • Provides hundreds of relevant links to security resources, standards and technical blogs based on each analysis.
  • Supports displaying analysis, messages, and most errors in English or Spanish.
  • Saves each analysis, highlighting improvements or deficiencies compared to the previous one.
  • Can display analysis statistics for a specific URL or across all of them.
  • Can display fingerprint statistics for a specific term or the Top 20.
  • Can display guidelines for enabling security HTTP response headers on popular frameworks, servers, and services.
  • AI-driven security triage and remediation guidance.
  • Provides dozens of unit tests to verify compatibility with your environment; requires pytest and pytest-cov.
  • Code regularly audited with several quality, style and security tools.
  • Tested, one by one, on thousands of URLs.
  • Tested on Docker 26.1, Kali Linux 2021.1, macOS 14.2.1 and Windows 10 20H2.
  • Almost all the code available under one of the most permissive licenses: MIT.
  • And more!.

How can I test it?

  • Start by taking a look at its repository.
  • And its documentation on its classes and functions (Work in progress).
  • Then, if you think it could be useful, run the unit tests to check compatibility with your environment.

Whatever you decide about humble.py, thank you for your time!.

Notes

About codeaudit, opengrep, Sourcery and vulture checks:

Inline comments are used to suppress certain tool-generated checks; the docstring for the associated class or function can provide additional information about them. You can identify them in the code by searching for:

  • # false-positive (codeaudit)
  • # nosemgrep (opengrep)
  • # noqa (several)
  • # sourcery skip (Sourcery)

In the file pyproject.toml you can review the specific exceptions to the ruff rules along with the reasons for doing so.

Last but not least

For those who maintain some essential tools for developing and testing humble.py, and to everyone who has contributed ideas, suggestions, or reported bugs: thank you!.

And a special greeting to Alba, Aleix, Alejandro (x3), Álvaro, Ana, Carlos (x3), David (x3), Eduardo, Eloy, Fernando, Gabriel, Íñigo, Joanna, Juan Carlos, Juán, Julián, Julio, Iván, Lourdes, Luis Joaquín, María Antonia, Marta, Miguel, Miguel Ángel (x2), Montse, Naiara, Pablo, Sergio, Ricardo, and Rubén!.