mozilla / http-observatory-cli Goto Github PK

The command line tool for the HTTP Observatory

License: Mozilla Public License 2.0

Python 95.49% Dockerfile 4.51%

http-observatory-cli's Introduction

Mozilla HTTP Observatory :: Command Line Utility

Please note that this version of the Observatory CLI has been deprecated, and replaced with a considerably more powerful version.

Getting started with the HTTP Observatory (docker)

$ docker run --rm fgribreau/httpobs-cli www.mozilla.org
Score: 30 [E]
Modifiers:
    [  -5] Initial redirection from http to https is to a different host, preventing HSTS
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

Getting started with the HTTP Observatory (python)

First install the client:

pip install httpobs-cli

$ pip install httpobs-cli

And then scan websites to your heart's content, using our hosted service:

$ httpobs www.mozilla.org
Score: 30 [E]
Modifiers:
    [  -5] Initial redirection from http to https is to a different host, preventing HSTS
    [  -5] Subresource Integrity (SRI) not implemented, but all external scripts are loaded over https
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

$ httpobs www.google.com
Score: 35 [D-]
Modifiers:
    [  +5] Preloaded via the HTTP Public Key Pinning (HPKP) preloading process
    [  -5] X-Content-Type-Options header not implemented
    [ -20] Cookies set without using the Secure flag or set over http
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

$ httpobs --zero github.com
Score: 120 [A+]
Modifiers:
    [  +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000)
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
    [  +5] Subresource Integrity (SRI) is implemented and all scripts are loaded from a similar origin
    [  +5] X-Frame-Options (XFO) implemented via the CSP frame-ancestors directive
    [   0] All cookies use the Secure flag and all session cookies use the HttpOnly flag
    [   0] Content Security Policy (CSP) implemented with 'unsafe-inline' inside style-src
    [   0] Content is not visible via cross-origin resource sharing (CORS) files or headers
    [   0] Contribute.json isn't required on websites that don't belong to Mozilla
    [   0] Initial redirection is to https on same host, final destination is https
    [   0] X-Content-Type-Options header set to "nosniff"
    [   0] X-XSS-Protection header set to "1; mode=block"

If you want additional options, such as to see the raw scan output, use httpobs --help:

$ httpobs --help
usage: httpobs [options] host

positional arguments:
  host           hostname of the website to scan

optional arguments:
  -h, --help     show this help message and exit
  -d, --debug    output only raw JSON from scan and tests
  -r, --rescan   initiate a rescan instead of showing recent scan results
  -v, --verbose  display progress indicator
  -x, --hidden   don't list scan in the recent scan results
  -z, --zero     show test results that don't affect the final score

Authors

April King

License

Mozilla Public License Version 2.0

http-observatory-cli's People

Contributors

Stargazers

Watchers

Forkers

johnjohnsp1 amuntner modulexcite fgribreau kleopatra999 taladar jarondl mozilla-github-standards damiencarol bhohbaum brickdesignernl

http-observatory-cli's Issues

I want more points! ;-)

Not using any external scripts, I get a score of 110.

Results are cached from 2h0m30s ago; use -r to rescan.

Score: 110 [A+]
Modifiers:
    [  +5] HTTP Public Key Pinning (HPKP) header set to a minimum of 15 days (1296000)
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process

Using external scripts with SRI gets them 11 points.

Results are cached from 2h0m27s ago; use -r to rescan.

Score: 111 [A+]
Modifiers:
    [  +5] Preloaded via the HTTP Strict Transport Security (HSTS) preloading process
    [  +5] Subresource Integrity (SRI) is implemented and all scripts are loaded securely
    [  +1] HTTP Public Key Pinning (HPKP) header set to less than 15 days (1296000)

Why is using external scripts (with SRI) better than not using external scripts at all?
Sure, showing off you know SRI is a cool thing. But not relying on third-party domains for scripts (think availability) would be even better, no?

CLI seems to display info about cached result even when -r is used

Results are cached from 2h0m2s ago; use -r to rescan.

This looks like it might be a localtime/UTC error as localtime here is UTC+2 currently.

Why the exit code is not the score?

Making the exit code the score would allow users to integrate http-observatory-cli into their build pipeline :)

User story: Test a list of hostnames passed on the command line using the output mode selected

Right now I'm driving it with a shell script. I'd like add another command line param to accept a file containing a list of hostnames for bulk testing and reporting.

In this mode, error messages should be saved until the testing has completed and output to stderr all at once prior to program termination to stderr, rather than having to back-scroll errors or redirect them to a file.

X-Frame-Options (XFO) header cannot be recognized

I tested jsq.bondsrv.com by running httpobs jsq.bondsrv.com and get among other messages the note that X-Frame-Options (XFO) header cannot be recognized. If I check the server response with f.ex. Chrome developer tools I can see that the headers include X-Frame-Options twice:

X-Frame-Options:SAMEORIGIN
X-Frame-Options:SAMEORIGIN

In the tool source you mention that having this header multiple times is common and I agree. It's set onece by nginx for all sites and in this case a second time by WordPress.

I'm wondering why the test fails in my case?

CODE_OF_CONDUCT.md file missing

As of January 1 2019, Mozilla requires that all GitHub projects include this CODE_OF_CONDUCT.md file in the project root. The file has two parts:

Required Text - All text under the headings Community Participation Guidelines and How to Report, are required, and should not be altered.
Optional Text - The Project Specific Etiquette heading provides a space to speak more specifically about ways people can work effectively and inclusively together. Some examples of those can be found on the Firefox Debugger project, and Common Voice. (The optional part is commented out in the raw template file, and will not be visible until you modify and uncomment that part.)

If you have any questions about this file, or Code of Conduct policies and procedures, please see Mozilla-GitHub-Standards or email [email protected].

(Message COC001)

Wiki changes

FYI: The following changes were made to this repository's wiki:

defacing spam has been removed
Restricting write access to contributors is strongly encouraged. Please make that change (documentation).

These were made as the result of a recent automated defacement of publically writeable wikis.

JSON format

For now output of the tool are hard to parse:

Score: 0 [F]
Modifiers:
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] Does not redirect to an HTTPS site
    [ -20] HTTP Strict Transport Security (HSTS) header cannot be set for sites not available over HTTPS
    [ -20] X-Frame-Options (XFO) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented
    [ -50] Content is visible via cross-origin resource sharing (CORS) file or headers

Could be good to have an option to provide JSON ouput.

node cli for the node gods

So, Python is Awesome, I hear, but I am a chauvinist who only does the new thing, and values purity over sense. Therefore I want a client for node.

no need to give score for failing grade

STR for Ubuntu 14.04.4 LTS using Python 2.7.6

virtualenv foo
source foo/bin/activate
pip install httpobs-cli
httpobs-cli <something that redirects to https, e.g., 0e.vc>

  InsecurePlatformWarning
/home/freddy/opt/httpobs-cli/venv/local/lib/python2.7/site-packages/requests/packages/urllib3/util/ssl_.py:120: InsecurePlatformWarning: A true SSLContext object is not available. This prevents urllib3 from configuring SSL appropriately and may cause certain SSL connections to fail. For more information, see https://urllib3.readthedocs.org/en/latest/security.html#insecureplatformwarning.
  InsecurePlatformWarning
Results are cached from 2h0m30s ago; use -r to rescan.

Score: 0 [F]
Modifiers:
    [  -5] X-Content-Type-Options header not implemented
    [ -10] X-XSS-Protection header not implemented
    [ -20] Does not redirect to an https site
    [ -20] HTTP Strict Transport Security (HSTS) header not implemented
    [ -20] X-Frame-Options (XFO) header not implemented
    [ -25] Content Security Policy (CSP) header not implemented

support for internal hostnames

Does this not work for scanning sites pre-production i.e. internal only?

I tried entering a few internal ip's/localhost and got this warning:
Unable to get result from the HTTP Observatory.

Nagios Plugin mode

It would be useful to be able to run the CLI with exit codes and output like a Nagios plugin.

The main points are

all output on one line with clear OK, WARNING, CRITICAL, UNKNOWN at the start of the line
exit codes 0 for OK, 1 for WARNING, 2 for CRITICAL, 3 for UNKNOWN

for details see https://nagios-plugins.org/doc/guidelines.html )

For this it might also be useful to be able to whitelist or suppress individual known bad tests.

This would allow use of the CLI in Nagios, Icinga and many other monitoring systems supporting this standard.