README.md
In hrbrmstr/hdrs: Have Some Fun with 'HTTP' Headers
hdrs
Have Some Fun with ‘HTTP’ Headers
Description
Methods are provided to retrieve and test ‘HTTP’ headers from a website.
An ‘HTTP’ request and response header reference/explanatory data frame
is also provided via the ‘hsecsecan’ project
(https://github.com/riramar/hsecscan)
What’s Inside The Tin
The following functions are implemented:
as.data.frame.insensitive: Turn httr::headers() objects into a
data frameassess_security_headers: Assess “security” headers for a given URLexplain_headers: Explain HTTP headers found from a URL requestexplore_app: A Shiny App for Exploring HTTP Headershttp_headers: HTTP Header Reference
Installation
install.packages("hdrs", repos = "https://cinc.rud.is/")
Usage
library(hdrs)
library(tibble) # for printing
# current version
packageVersion("hdrs")
## [1] '0.2.0'
httr::HEAD("https://rud.is/b") %>%
httr::headers() %>%
as.data.frame()
## # A tibble: 20 x 2
## name value
## <chr> <chr>
## 1 server nginx
## 2 date Wed, 06 Mar 2019 12:27:15 GMT
## 3 content-type text/html; charset=UTF-8
## 4 connection keep-alive
## 5 vary Accept-Encoding
## 6 set-cookie PHPSESSID=0f2uckd4t1tuf55hhecpk73i63; path=/
## 7 expires Thu, 07 Mar 2019 12:27:15 GMT
## 8 cache-control max-age=86400
## 9 pragma no-cache
## 10 link "<https://rud.is/b/wp-json/>; rel=\"https://api.w.org/\""
## 11 link <https://wp.me/23idr>; rel=shortlink
## 12 strict-transport-secu… max-age=31536000; includeSubDomains; preload
## 13 content-security-poli… default-src 'self' data: fonts.gstatic.com fonts.googleapis.com cdn.ampproject.org *.ampproje…
## 14 x-frame-options SAMEORIGIN
## 15 referrer-policy no-referrer-when-downgrade
## 16 feature-policy geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer '…
## 17 x-powered-by <3
## 18 x-xss-protection 1; mode=block
## 19 x-content-type-options nosniff
## 20 content-encoding gzip
assess_security_headers("https://cran.r-project.org") %>%
dplyr::select(-url) %>%
gt::gt()
html {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', Arial, sans-serif;
}
#lsgjsbdkdu .gt_table {
border-collapse: collapse;
margin-left: auto;
margin-right: auto;
color: #000000;
font-size: 16px;
background-color: #FFFFFF;
/* table.background.color */
width: auto;
/* table.width */
border-top-style: solid;
/* table.border.top.style */
border-top-width: 2px;
/* table.border.top.width */
border-top-color: #A8A8A8;
/* table.border.top.color */
}
#lsgjsbdkdu .gt_heading {
background-color: #FFFFFF;
/* heading.background.color */
border-bottom-color: #FFFFFF;
}
#lsgjsbdkdu .gt_title {
color: #000000;
font-size: 125%;
/* heading.title.font.size */
padding-top: 4px;
/* heading.top.padding */
padding-bottom: 1px;
border-bottom-color: #FFFFFF;
border-bottom-width: 0;
}
#lsgjsbdkdu .gt_subtitle {
color: #000000;
font-size: 85%;
/* heading.subtitle.font.size */
padding-top: 1px;
padding-bottom: 4px;
/* heading.bottom.padding */
border-top-color: #FFFFFF;
border-top-width: 0;
}
#lsgjsbdkdu .gt_bottom_border {
border-bottom-style: solid;
/* heading.border.bottom.style */
border-bottom-width: 2px;
/* heading.border.bottom.width */
border-bottom-color: #A8A8A8;
/* heading.border.bottom.color */
}
#lsgjsbdkdu .gt_column_spanner {
border-bottom-style: solid;
border-bottom-width: 2px;
border-bottom-color: #A8A8A8;
padding-top: 4px;
padding-bottom: 4px;
}
#lsgjsbdkdu .gt_col_heading {
color: #000000;
background-color: #FFFFFF;
/* column_labels.background.color */
font-size: 16px;
/* column_labels.font.size */
font-weight: initial;
/* column_labels.font.weight */
padding: 10px;
margin: 10px;
}
#lsgjsbdkdu .gt_sep_right {
border-right: 5px solid #FFFFFF;
}
#lsgjsbdkdu .gt_group_heading {
padding: 8px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#lsgjsbdkdu .gt_empty_group_heading {
padding: 0.5px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#lsgjsbdkdu .gt_striped tr:nth-child(even) {
background-color: #f2f2f2;
}
#lsgjsbdkdu .gt_row {
padding: 10px;
/* row.padding */
margin: 10px;
}
#lsgjsbdkdu .gt_stub {
border-right-style: solid;
border-right-width: 2px;
border-right-color: #A8A8A8;
text-indent: 5px;
}
#lsgjsbdkdu .gt_stub.gt_row {
background-color: #FFFFFF;
}
#lsgjsbdkdu .gt_summary_row {
background-color: #FFFFFF;
/* summary_row.background.color */
padding: 6px;
/* summary_row.padding */
text-transform: inherit;
/* summary_row.text_transform */
}
#lsgjsbdkdu .gt_first_summary_row {
border-top-style: solid;
border-top-width: 2px;
border-top-color: #A8A8A8;
}
#lsgjsbdkdu .gt_table_body {
border-top-style: solid;
/* field.border.top.style */
border-top-width: 2px;
/* field.border.top.width */
border-top-color: #A8A8A8;
/* field.border.top.color */
border-bottom-style: solid;
/* field.border.bottom.style */
border-bottom-width: 2px;
/* field.border.bottom.width */
border-bottom-color: #A8A8A8;
/* field.border.bottom.color */
}
#lsgjsbdkdu .gt_footnote {
font-size: 90%;
/* footnote.font.size */
padding: 4px;
/* footnote.padding */
}
#lsgjsbdkdu .gt_sourcenote {
font-size: 90%;
/* sourcenote.font.size */
padding: 4px;
/* sourcenote.padding */
}
#lsgjsbdkdu .gt_center {
text-align: center;
}
#lsgjsbdkdu .gt_left {
text-align: left;
}
#lsgjsbdkdu .gt_right {
text-align: right;
font-variant-numeric: tabular-nums;
}
#lsgjsbdkdu .gt_font_normal {
font-weight: normal;
}
#lsgjsbdkdu .gt_font_bold {
font-weight: bold;
}
#lsgjsbdkdu .gt_font_italic {
font-style: italic;
}
#lsgjsbdkdu .gt_super {
font-size: 65%;
}
#lsgjsbdkdu .gt_footnote_glyph {
font-style: italic;
font-size: 65%;
}
header
value
status\_code
message
access-control-allow-origin
NA
WARN
Header not set
content-security-policy
NA
WARN
Header not set
expect-ct
NA
WARN
Header not set
feature-policy
NA
WARN
Header not set
public-key-pins
NA
WARN
Header not set
referrer-policy
NA
WARN
Header not set
server
Apache/2.4.10 (Debian)
NOTE
Server header found
strict-transport-security
NA
WARN
Header not set
x-content-type-options
NA
WARN
Header not set
x-frame-options
NA
WARN
Header not set
x-permitted-cross-domain-policies
NA
WARN
Header not set
x-powered-by
NA
WARN
Header not set
x-xss-protection
NA
WARN
Header not set
Tsk, tsk…
assess_security_headers("https://rud.is/b") %>%
dplyr::select(-url) %>%
gt::gt()
html {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', Arial, sans-serif;
}
#fkvlcbxjkq .gt_table {
border-collapse: collapse;
margin-left: auto;
margin-right: auto;
color: #000000;
font-size: 16px;
background-color: #FFFFFF;
/* table.background.color */
width: auto;
/* table.width */
border-top-style: solid;
/* table.border.top.style */
border-top-width: 2px;
/* table.border.top.width */
border-top-color: #A8A8A8;
/* table.border.top.color */
}
#fkvlcbxjkq .gt_heading {
background-color: #FFFFFF;
/* heading.background.color */
border-bottom-color: #FFFFFF;
}
#fkvlcbxjkq .gt_title {
color: #000000;
font-size: 125%;
/* heading.title.font.size */
padding-top: 4px;
/* heading.top.padding */
padding-bottom: 1px;
border-bottom-color: #FFFFFF;
border-bottom-width: 0;
}
#fkvlcbxjkq .gt_subtitle {
color: #000000;
font-size: 85%;
/* heading.subtitle.font.size */
padding-top: 1px;
padding-bottom: 4px;
/* heading.bottom.padding */
border-top-color: #FFFFFF;
border-top-width: 0;
}
#fkvlcbxjkq .gt_bottom_border {
border-bottom-style: solid;
/* heading.border.bottom.style */
border-bottom-width: 2px;
/* heading.border.bottom.width */
border-bottom-color: #A8A8A8;
/* heading.border.bottom.color */
}
#fkvlcbxjkq .gt_column_spanner {
border-bottom-style: solid;
border-bottom-width: 2px;
border-bottom-color: #A8A8A8;
padding-top: 4px;
padding-bottom: 4px;
}
#fkvlcbxjkq .gt_col_heading {
color: #000000;
background-color: #FFFFFF;
/* column_labels.background.color */
font-size: 16px;
/* column_labels.font.size */
font-weight: initial;
/* column_labels.font.weight */
padding: 10px;
margin: 10px;
}
#fkvlcbxjkq .gt_sep_right {
border-right: 5px solid #FFFFFF;
}
#fkvlcbxjkq .gt_group_heading {
padding: 8px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#fkvlcbxjkq .gt_empty_group_heading {
padding: 0.5px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#fkvlcbxjkq .gt_striped tr:nth-child(even) {
background-color: #f2f2f2;
}
#fkvlcbxjkq .gt_row {
padding: 10px;
/* row.padding */
margin: 10px;
}
#fkvlcbxjkq .gt_stub {
border-right-style: solid;
border-right-width: 2px;
border-right-color: #A8A8A8;
text-indent: 5px;
}
#fkvlcbxjkq .gt_stub.gt_row {
background-color: #FFFFFF;
}
#fkvlcbxjkq .gt_summary_row {
background-color: #FFFFFF;
/* summary_row.background.color */
padding: 6px;
/* summary_row.padding */
text-transform: inherit;
/* summary_row.text_transform */
}
#fkvlcbxjkq .gt_first_summary_row {
border-top-style: solid;
border-top-width: 2px;
border-top-color: #A8A8A8;
}
#fkvlcbxjkq .gt_table_body {
border-top-style: solid;
/* field.border.top.style */
border-top-width: 2px;
/* field.border.top.width */
border-top-color: #A8A8A8;
/* field.border.top.color */
border-bottom-style: solid;
/* field.border.bottom.style */
border-bottom-width: 2px;
/* field.border.bottom.width */
border-bottom-color: #A8A8A8;
/* field.border.bottom.color */
}
#fkvlcbxjkq .gt_footnote {
font-size: 90%;
/* footnote.font.size */
padding: 4px;
/* footnote.padding */
}
#fkvlcbxjkq .gt_sourcenote {
font-size: 90%;
/* sourcenote.font.size */
padding: 4px;
/* sourcenote.padding */
}
#fkvlcbxjkq .gt_center {
text-align: center;
}
#fkvlcbxjkq .gt_left {
text-align: left;
}
#fkvlcbxjkq .gt_right {
text-align: right;
font-variant-numeric: tabular-nums;
}
#fkvlcbxjkq .gt_font_normal {
font-weight: normal;
}
#fkvlcbxjkq .gt_font_bold {
font-weight: bold;
}
#fkvlcbxjkq .gt_font_italic {
font-style: italic;
}
#fkvlcbxjkq .gt_super {
font-size: 65%;
}
#fkvlcbxjkq .gt_footnote_glyph {
font-style: italic;
font-size: 65%;
}
header
value
status\_code
message
access-control-allow-origin
NA
WARN
Header not set
content-security-policy
default-src ‘self’ data: fonts.gstatic.com fonts.googleapis.com
cdn.ampproject.org *.ampproject.org *.w.org w.org wp.com sendpulse.com
gravatar.com *.wp.com *.sendpulse.com *.gravatar.com wordpress.com
*.wordpress.com ;
script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com
fonts.googleapis.com *.w.org w.org wp.com cdn.ampproject.org
*.ampproject.org sendpulse.com gravatar.com *.wp.com *.sendpulse.com
*.gravatar.com wordpress.com *.wordpress.com; style-src ‘self’ data:
‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com fonts.googleapis.com
*.w.org w.org wp.com *.sendpulse.com sendpulse.com *.gravatar.com
gravatar.com *.wp.com cdn.ampproject.org \*.ampproject.org;
OK
NOTE: Policy present but not parse
expect-ct
NA
WARN
Header not set
feature-policy
geolocation ‘none’;midi ‘none’;sync-xhr ‘none’;microphone ‘none’;camera
‘none’;magnetometer ‘none’;gyroscope ‘none’;speaker ‘self’;fullscreen
‘self’;payment ‘none’;
OK
Value present but not verified
public-key-pins
NA
WARN
Header not set
referrer-policy
no-referrer-when-downgrade
OK
Acceptable setting found
server
nginx
NOTE
Server header found
strict-transport-security
max-age=31536000; includeSubDomains; preload
OK
Value present but not evaluated
x-content-type-options
nosniff
OK
Acceptable setting found
x-frame-options
SAMEORIGIN
OK
Acceptable setting found
x-permitted-cross-domain-policies
NA
WARN
Header not set
x-powered-by
\<3
NOTE
X-Powered-By header present
x-xss-protection
1; mode=block
WARN
Required value (‘nosniff’) not present
Looks like I gots some ’splainin to do as well.
hdrs::explain_headers("https://community.rstudio.com/") %>%
dplyr::select(header,value, enable, security_reference, recommendations) %>%
gt::gt()
html {
font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Fira Sans', 'Droid Sans', 'Helvetica Neue', Arial, sans-serif;
}
#mjauwpzaol .gt_table {
border-collapse: collapse;
margin-left: auto;
margin-right: auto;
color: #000000;
font-size: 16px;
background-color: #FFFFFF;
/* table.background.color */
width: auto;
/* table.width */
border-top-style: solid;
/* table.border.top.style */
border-top-width: 2px;
/* table.border.top.width */
border-top-color: #A8A8A8;
/* table.border.top.color */
}
#mjauwpzaol .gt_heading {
background-color: #FFFFFF;
/* heading.background.color */
border-bottom-color: #FFFFFF;
}
#mjauwpzaol .gt_title {
color: #000000;
font-size: 125%;
/* heading.title.font.size */
padding-top: 4px;
/* heading.top.padding */
padding-bottom: 1px;
border-bottom-color: #FFFFFF;
border-bottom-width: 0;
}
#mjauwpzaol .gt_subtitle {
color: #000000;
font-size: 85%;
/* heading.subtitle.font.size */
padding-top: 1px;
padding-bottom: 4px;
/* heading.bottom.padding */
border-top-color: #FFFFFF;
border-top-width: 0;
}
#mjauwpzaol .gt_bottom_border {
border-bottom-style: solid;
/* heading.border.bottom.style */
border-bottom-width: 2px;
/* heading.border.bottom.width */
border-bottom-color: #A8A8A8;
/* heading.border.bottom.color */
}
#mjauwpzaol .gt_column_spanner {
border-bottom-style: solid;
border-bottom-width: 2px;
border-bottom-color: #A8A8A8;
padding-top: 4px;
padding-bottom: 4px;
}
#mjauwpzaol .gt_col_heading {
color: #000000;
background-color: #FFFFFF;
/* column_labels.background.color */
font-size: 16px;
/* column_labels.font.size */
font-weight: initial;
/* column_labels.font.weight */
padding: 10px;
margin: 10px;
}
#mjauwpzaol .gt_sep_right {
border-right: 5px solid #FFFFFF;
}
#mjauwpzaol .gt_group_heading {
padding: 8px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#mjauwpzaol .gt_empty_group_heading {
padding: 0.5px;
color: #000000;
background-color: #FFFFFF;
/* stub_group.background.color */
font-size: 16px;
/* stub_group.font.size */
font-weight: initial;
/* stub_group.font.weight */
border-top-style: solid;
/* stub_group.border.top.style */
border-top-width: 2px;
/* stub_group.border.top.width */
border-top-color: #A8A8A8;
/* stub_group.border.top.color */
border-bottom-style: solid;
/* stub_group.border.bottom .style */
border-bottom-width: 2px;
/* stub_group.border.bottom .width */
border-bottom-color: #A8A8A8;
/* stub_group.border.bottom .color */
}
#mjauwpzaol .gt_striped tr:nth-child(even) {
background-color: #f2f2f2;
}
#mjauwpzaol .gt_row {
padding: 10px;
/* row.padding */
margin: 10px;
}
#mjauwpzaol .gt_stub {
border-right-style: solid;
border-right-width: 2px;
border-right-color: #A8A8A8;
text-indent: 5px;
}
#mjauwpzaol .gt_stub.gt_row {
background-color: #FFFFFF;
}
#mjauwpzaol .gt_summary_row {
background-color: #FFFFFF;
/* summary_row.background.color */
padding: 6px;
/* summary_row.padding */
text-transform: inherit;
/* summary_row.text_transform */
}
#mjauwpzaol .gt_first_summary_row {
border-top-style: solid;
border-top-width: 2px;
border-top-color: #A8A8A8;
}
#mjauwpzaol .gt_table_body {
border-top-style: solid;
/* field.border.top.style */
border-top-width: 2px;
/* field.border.top.width */
border-top-color: #A8A8A8;
/* field.border.top.color */
border-bottom-style: solid;
/* field.border.bottom.style */
border-bottom-width: 2px;
/* field.border.bottom.width */
border-bottom-color: #A8A8A8;
/* field.border.bottom.color */
}
#mjauwpzaol .gt_footnote {
font-size: 90%;
/* footnote.font.size */
padding: 4px;
/* footnote.padding */
}
#mjauwpzaol .gt_sourcenote {
font-size: 90%;
/* sourcenote.font.size */
padding: 4px;
/* sourcenote.padding */
}
#mjauwpzaol .gt_center {
text-align: center;
}
#mjauwpzaol .gt_left {
text-align: left;
}
#mjauwpzaol .gt_right {
text-align: right;
font-variant-numeric: tabular-nums;
}
#mjauwpzaol .gt_font_normal {
font-weight: normal;
}
#mjauwpzaol .gt_font_bold {
font-weight: bold;
}
#mjauwpzaol .gt_font_italic {
font-style: italic;
}
#mjauwpzaol .gt_super {
font-size: 65%;
}
#mjauwpzaol .gt_footnote_glyph {
font-style: italic;
font-size: 65%;
}
header
value
enable
security\_reference
recommendations
cache-control
no-cache, no-store
TRUE
Do not store unnecessarily sensitive information in the cache.
connection
keep-alive
FALSE
content-encoding
gzip
TRUE
Another suggested approach is to disable HTTP compression whenever the
referrer header indicates a cross-site request, or when the header is
not present. This approach allows effective mitigation of the attack
without losing functionality, only incurring a performance penalty on
affected requests.
content-security-policy
base-uri ‘none’; object-src ‘none’; script-src ‘unsafe-eval’
‘report-sample’
; worker-src ‘self’ blob:
TRUE
Read the reference and set according to your
case. This is not a easy job.
content-type
text/html; charset=utf-8
TRUE
Properly configure their origin server to provide the correct
Content-Type for a given representation.
date
Wed, 06 Mar 2019 12:27:24 GMT
FALSE
referrer-policy
strict-origin-when-cross-origin
NA
NA
NA
server
nginx
TRUE
An origin server SHOULD NOT generate a Server field containing
needlessly fine-grained detail and SHOULD limit the addition of
subproducts by third parties.
strict-transport-security
max-age=31536000
TRUE
Please at least read this reference:
.
vary
Accept-Encoding
FALSE
x-content-type-options
nosniff
TRUE
Always use the only defined value, “nosniff”.
x-discourse-route
list/latest
NA
NA
NA
x-download-options
noopen
NA
NA
NA
x-frame-options
SAMEORIGIN
TRUE
In 2009 and 2010, many browser vendors (\[Microsoft-X-Frame-Options\]
and \[Mozilla-X-Frame-Options\]) introduced the use of a non-standard
HTTP \[RFC2616\] header field “X-Frame-Options” to protect against
clickjacking. Please check here
what’s the best option for your case.
x-permitted-cross-domain-policies
none
NA
NA
NA
x-request-id
4535cc47-f085-4bad-80ae-97aa50034956
NA
NA
NA
x-runtime
0.117140
NA
NA
NA
x-xss-protection
1; mode=block
TRUE
Use “X-XSS-Protection: 1; mode=block” whenever is possible (ref.
).
Reference
data(http_headers)
dplyr::glimpse(http_headers)
## Observations: 184
## Variables: 14
## $ header_field_name <chr> "A-IM", "Accept", "Accept-Additions", "Accept-Charset", "Accept-Datetime", "Accept-Encod…
## $ type_1 <chr> "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent…
## $ protocol <chr> "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", …
## $ status <chr> "", "standard", "", "standard", "informational", "standard", "", "standard", "", "standa…
## $ reference <chr> "https://tools.ietf.org/html/rfc3229#section-10.5.3", "https://tools.ietf.org/html/rfc72…
## $ type_2 <chr> "Request", "Request", "Request", "Request", "Request", "Request", "Request", "Request", …
## $ enable <lgl> FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE, TRUE, FALSE, TRUE, FALSE, …
## $ required <lgl> NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, …
## $ https <lgl> NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, …
## $ security_description <chr> "", "", "", "", "", "", "", "", "Sometimes an HTTP intermediary might try to detect viru…
## $ security_reference <chr> "", "", "", "", "", "", "", "", "https://tools.ietf.org/html/rfc5789#section-5", "https:…
## $ recommendations <chr> "", "", "", "", "", "", "", "", "Antivirus software scans for viruses or worms.", "Serve…
## $ cwe <chr> "", "", "", "", "", "", "", "", "CWE-509: Replicating Malicious Code (Virus or Worm)", "…
## $ cwe_url <chr> "\r", "\r", "\r", "\r", "\r", "\r", "\r", "\r", "https://cwe.mitre.org/data/definitions/…
hdrs Metrics
| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) |
| :--- | -------: | ---: | --: | --: | ----------: | ---: | -------: | ---: |
| R | 11 | 0.92 | 186 | 0.9 | 37 | 0.57 | 85 | 0.63 |
| Rmd | 1 | 0.08 | 21 | 0.1 | 28 | 0.43 | 50 | 0.37 |
Code of Conduct
Please note that this project is released with a Contributor Code of
Conduct. By participating in this project you agree to
abide by its terms.
hrbrmstr/hdrs documentation built on May 23, 2019, 4 a.m.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
hdrs
Have Some Fun with ‘HTTP’ Headers
Description
Methods are provided to retrieve and test ‘HTTP’ headers from a website. An ‘HTTP’ request and response header reference/explanatory data frame is also provided via the ‘hsecsecan’ project (https://github.com/riramar/hsecscan)
What’s Inside The Tin
The following functions are implemented:
as.data.frame.insensitive: Turnhttr::headers()objects into a data frameassess_security_headers: Assess “security” headers for a given URLexplain_headers: Explain HTTP headers found from a URL requestexplore_app: A Shiny App for Exploring HTTP Headershttp_headers: HTTP Header Reference
Installation
install.packages("hdrs", repos = "https://cinc.rud.is/")
Usage
library(hdrs)
library(tibble) # for printing
# current version
packageVersion("hdrs")
## [1] '0.2.0'
httr::HEAD("https://rud.is/b") %>%
httr::headers() %>%
as.data.frame()
## # A tibble: 20 x 2
## name value
## <chr> <chr>
## 1 server nginx
## 2 date Wed, 06 Mar 2019 12:27:15 GMT
## 3 content-type text/html; charset=UTF-8
## 4 connection keep-alive
## 5 vary Accept-Encoding
## 6 set-cookie PHPSESSID=0f2uckd4t1tuf55hhecpk73i63; path=/
## 7 expires Thu, 07 Mar 2019 12:27:15 GMT
## 8 cache-control max-age=86400
## 9 pragma no-cache
## 10 link "<https://rud.is/b/wp-json/>; rel=\"https://api.w.org/\""
## 11 link <https://wp.me/23idr>; rel=shortlink
## 12 strict-transport-secu… max-age=31536000; includeSubDomains; preload
## 13 content-security-poli… default-src 'self' data: fonts.gstatic.com fonts.googleapis.com cdn.ampproject.org *.ampproje…
## 14 x-frame-options SAMEORIGIN
## 15 referrer-policy no-referrer-when-downgrade
## 16 feature-policy geolocation 'none';midi 'none';sync-xhr 'none';microphone 'none';camera 'none';magnetometer '…
## 17 x-powered-by <3
## 18 x-xss-protection 1; mode=block
## 19 x-content-type-options nosniff
## 20 content-encoding gzip
assess_security_headers("https://cran.r-project.org") %>%
dplyr::select(-url) %>%
gt::gt()
header
value
status\_code
message
access-control-allow-origin
NA
WARN
Header not set
content-security-policy
NA
WARN
Header not set
expect-ct
NA
WARN
Header not set
feature-policy
NA
WARN
Header not set
public-key-pins
NA
WARN
Header not set
referrer-policy
NA
WARN
Header not set
server
Apache/2.4.10 (Debian)
NOTE
Server header found
strict-transport-security
NA
WARN
Header not set
x-content-type-options
NA
WARN
Header not set
x-frame-options
NA
WARN
Header not set
x-permitted-cross-domain-policies
NA
WARN
Header not set
x-powered-by
NA
WARN
Header not set
x-xss-protection
NA
WARN
Header not set
Tsk, tsk…
assess_security_headers("https://rud.is/b") %>%
dplyr::select(-url) %>%
gt::gt()
header
value
status\_code
message
access-control-allow-origin
NA
WARN
Header not set
content-security-policy
default-src ‘self’ data: fonts.gstatic.com fonts.googleapis.com
cdn.ampproject.org *.ampproject.org *.w.org w.org wp.com sendpulse.com
gravatar.com *.wp.com *.sendpulse.com *.gravatar.com wordpress.com
*.wordpress.com ;
script-src ‘self’ data: ‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com
fonts.googleapis.com *.w.org w.org wp.com cdn.ampproject.org
*.ampproject.org sendpulse.com gravatar.com *.wp.com *.sendpulse.com
*.gravatar.com wordpress.com *.wordpress.com; style-src ‘self’ data:
‘unsafe-inline’ ‘unsafe-eval’ fonts.gstatic.com fonts.googleapis.com
*.w.org w.org wp.com *.sendpulse.com sendpulse.com *.gravatar.com
gravatar.com *.wp.com cdn.ampproject.org \*.ampproject.org;
OK
NOTE: Policy present but not parse
expect-ct
NA
WARN
Header not set
feature-policy
geolocation ‘none’;midi ‘none’;sync-xhr ‘none’;microphone ‘none’;camera
‘none’;magnetometer ‘none’;gyroscope ‘none’;speaker ‘self’;fullscreen
‘self’;payment ‘none’;
OK
Value present but not verified
public-key-pins
NA
WARN
Header not set
referrer-policy
no-referrer-when-downgrade
OK
Acceptable setting found
server
nginx
NOTE
Server header found
strict-transport-security
max-age=31536000; includeSubDomains; preload
OK
Value present but not evaluated
x-content-type-options
nosniff
OK
Acceptable setting found
x-frame-options
SAMEORIGIN
OK
Acceptable setting found
x-permitted-cross-domain-policies
NA
WARN
Header not set
x-powered-by
\<3
NOTE
X-Powered-By header present
x-xss-protection
1; mode=block
WARN
Required value (‘nosniff’) not present
Looks like I gots some ’splainin to do as well.
hdrs::explain_headers("https://community.rstudio.com/") %>%
dplyr::select(header,value, enable, security_reference, recommendations) %>%
gt::gt()
header
value
enable
security\_reference
recommendations
cache-control
no-cache, no-store
TRUE
Do not store unnecessarily sensitive information in the cache.
connection
keep-alive
FALSE
content-encoding
gzip
TRUE
Another suggested approach is to disable HTTP compression whenever the
referrer header indicates a cross-site request, or when the header is
not present. This approach allows effective mitigation of the attack
without losing functionality, only incurring a performance penalty on
affected requests.
content-security-policy
base-uri ‘none’; object-src ‘none’; script-src ‘unsafe-eval’
‘report-sample’
; worker-src ‘self’ blob:
TRUE
Read the reference and set according to your
case. This is not a easy job.
content-type
text/html; charset=utf-8
TRUE
Properly configure their origin server to provide the correct
Content-Type for a given representation.
date
Wed, 06 Mar 2019 12:27:24 GMT
FALSE
referrer-policy
strict-origin-when-cross-origin
NA
NA
NA
server
nginx
TRUE
An origin server SHOULD NOT generate a Server field containing
needlessly fine-grained detail and SHOULD limit the addition of
subproducts by third parties.
strict-transport-security
max-age=31536000
TRUE
Please at least read this reference:
.
vary
Accept-Encoding
FALSE
x-content-type-options
nosniff
TRUE
Always use the only defined value, “nosniff”.
x-discourse-route
list/latest
NA
NA
NA
x-download-options
noopen
NA
NA
NA
x-frame-options
SAMEORIGIN
TRUE
In 2009 and 2010, many browser vendors (\[Microsoft-X-Frame-Options\]
and \[Mozilla-X-Frame-Options\]) introduced the use of a non-standard
HTTP \[RFC2616\] header field “X-Frame-Options” to protect against
clickjacking. Please check here
what’s the best option for your case.
x-permitted-cross-domain-policies
none
NA
NA
NA
x-request-id
4535cc47-f085-4bad-80ae-97aa50034956
NA
NA
NA
x-runtime
0.117140
NA
NA
NA
x-xss-protection
1; mode=block
TRUE
Use “X-XSS-Protection: 1; mode=block” whenever is possible (ref.
).
Reference
data(http_headers)
dplyr::glimpse(http_headers)
## Observations: 184
## Variables: 14
## $ header_field_name <chr> "A-IM", "Accept", "Accept-Additions", "Accept-Charset", "Accept-Datetime", "Accept-Encod…
## $ type_1 <chr> "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent", "Permanent…
## $ protocol <chr> "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", "http", …
## $ status <chr> "", "standard", "", "standard", "informational", "standard", "", "standard", "", "standa…
## $ reference <chr> "https://tools.ietf.org/html/rfc3229#section-10.5.3", "https://tools.ietf.org/html/rfc72…
## $ type_2 <chr> "Request", "Request", "Request", "Request", "Request", "Request", "Request", "Request", …
## $ enable <lgl> FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, FALSE, TRUE, TRUE, FALSE, TRUE, FALSE, …
## $ required <lgl> NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, …
## $ https <lgl> NA, NA, NA, NA, NA, NA, NA, NA, TRUE, TRUE, NA, TRUE, NA, NA, NA, TRUE, NA, NA, NA, NA, …
## $ security_description <chr> "", "", "", "", "", "", "", "", "Sometimes an HTTP intermediary might try to detect viru…
## $ security_reference <chr> "", "", "", "", "", "", "", "", "https://tools.ietf.org/html/rfc5789#section-5", "https:…
## $ recommendations <chr> "", "", "", "", "", "", "", "", "Antivirus software scans for viruses or worms.", "Serve…
## $ cwe <chr> "", "", "", "", "", "", "", "", "CWE-509: Replicating Malicious Code (Virus or Worm)", "…
## $ cwe_url <chr> "\r", "\r", "\r", "\r", "\r", "\r", "\r", "\r", "https://cwe.mitre.org/data/definitions/…
hdrs Metrics
| Lang | # Files | (%) | LoC | (%) | Blank lines | (%) | # Lines | (%) | | :--- | -------: | ---: | --: | --: | ----------: | ---: | -------: | ---: | | R | 11 | 0.92 | 186 | 0.9 | 37 | 0.57 | 85 | 0.63 | | Rmd | 1 | 0.08 | 21 | 0.1 | 28 | 0.43 | 50 | 0.37 |
Code of Conduct
Please note that this project is released with a Contributor Code of Conduct. By participating in this project you agree to abide by its terms.
R Package Documentation
Browse R Packages
We want your feedback!
Note that we can't provide technical support on individual packages. You should contact the package authors for that.
Embedding an R snippet on your website
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.