\n| %s | ' % asset)
if 'access-control-allow-origin: *' in securityHeadersString:
outFile.write('Defined, Allows All (*) | ')
elif 'access-control-allow-origin' not in securityHeadersString:
outFile.write('Undefined | ')
else:
outFile.write('Defined, %s | ' % re.search('access-control-allow-origin: (.*)', securityHeadersString).group(1))
if 'content-security-policy' in securityHeadersString:
outFile.write('%s | ' % re.search('content-security-policy: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'server' in securityHeadersString:
outFile.write('Defined, %s | ' % re.search('server: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'strict-transport-security' in securityHeadersString:
outFile.write('%s | ' % re.search('strict-transport-security: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'x-content-type-options' in securityHeadersString:
outFile.write('%s | ' % re.search('x-content-type-options: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'x-frame-options' in securityHeadersString:
outFile.write('%s | ' % re.search('x-frame-options: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'x-permitted-cross-domain-policies' in securityHeadersString:
outFile.write('%s | ' % re.search('x-permitted-cross-domain-policies: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'x-powered-by' in securityHeadersString:
outFile.write('Defined, %s | ' % re.search('x-powered-by: (.*)', securityHeadersString).group(1))
else:
outFile.write('Undefined | ')
if 'x-xss-protection: 0' in securityHeadersString:
outFile.write('Protection Disabled, x-xss-protection: 0 | ')
elif 'x-xss-protection' not in securityHeadersString:
outFile.write('Undefined | ')
else:
outFile.write('%s | ' % re.search('x-xss-protection: (.*)', securityHeadersString).group(1))
headersDescription = """
\nAccess Control Allow Origin (Access-Control-Allow-Origin)
\n
Modern websites often include content dynamically pulled in from other sources online. SoundCloud, Flickr, Youtube and many other important websites use a technique called Cross Object Resource Sharing (CORS) to do so. Access Control Allow Origin is a header that is part of the "conversation" between the site a that wants to include data from another site.
\nContent Security Policy (Content-Security-Policy)
\nContent Security Policy (CSP) prevents cross site scripting by explicitly declaring to browsers which script, media, stylesheets, etc are supposed to be run from your website. By whitelisting these resources, if an attacker is ever able to embed his evil code on your site, the browser will ignore it and visitors to your site will remain safe.
\nCross Domain Meta Policy (X-Permitted-Cross-Domain-Policies)
\nThis header tells Flash and PDF files which Cross Domain Policy files found on your site can be obeyed; yes, it's a policy about other policies!
\nContent Type Options (X-Content-Type-Options)
\nMicrosoft Internet Explorer (IE) and Google Chrome have the ability to guess the type of content may be found in a file, a process called "MIME-sniffing". Since the browser can be tricked by an attacker into making the incorrect decision about types of files it sees online, webmasters can tell IE/Chrome to not to sniff. That directive is called "nosniff" and it's communicated to via HTTP headers.
\nServer Information (Server)
\nThe principle of least privilege says you only get access to stuff you need access to. Often times there is no reason for a server to advertise its information via headers. Removing the server header won't stop attacks but can make them slightly more difficult.
\nStrict Transport Security (Strict-Transport-Security)
\nUsing the HSTS header tells browsers that they should first make requests to your site over HTTPS by default!
\nFrame Options (X-Frame-Options)
\nThe X Frame Options header is designed to minimize the likelihood that an attacker can use a clickjacking attack against your site. In a clickjacking attack, the bad guy places a frame that invisibly renders your site over top of some other content below that is tempting for users to click on.
\nPowered By Information (X-Powered-By)
\nThe principle of least privilege says you only get access to stuff you need access to. Often times there is no reason to advertise your software version information via headers. Removing the x-powered-by header won't stop attacks but can make them slightly more difficult.
\nXSS Protection (X-XSS-Protection)
\nTells browsers such as IE and Chrome to be even more strict when they suspect an xss attack. The header can designate the browser to not render the page, try to remove/encode dangerous characters, or provide no additional protection.
"""
outFile.write('