"ๅ้ไน่ก๏ผๅงๆผ่ถณไธ - ่ๅญ"
("A journey of a thousand miles begins with a single step. - Lao Tzu")
"And if you don't keep your feet, there's no knowing where you might be swept off to. - Bilbo Baggins"
Features
Screenshots
Installation & Update (Source code)
Installation & Maintenance (Docker)
Installation & Update (Kali Linux)
Usage
Advanced Usage (Linux)
Unit tests
Checks: Missing Headers
Checks: Fingerprint Headers
Checks: Deprecated Headers and Insecure Values
Checks: Empty Values
Guidelines included
To-Do
Further Reading
Contribute
Acknowledgements
License
โ๏ธ Covers 61 enabled security-related HTTP response headers.
โ๏ธ 15 checks for missing security-related HTTP response headers (the ones I consider essential).
โ๏ธ 1239 checks for fingerprinting through HTTP response headers.
โ๏ธ 155 checks for deprecated HTTP response headers/protocols or with insecure/wrong values.
โ๏ธ 28 checks related to Content Security Policy Level 3.
โ๏ธ Can check for compliance with the OWASP Secure Headers Project Best Practices.
โ๏ธ Can exclude specific HTTP response headers from the analysis.
โ๏ธ Can analyze raw response files: text files with HTTP response headers and values. Ex: curl option '--dump-header'.
โ๏ธ Can export each analysis to CSV, CSS3 & HTML5, JSON, PDF 1.4, TXT, XLSX (Excel 2007 onwards) and XML; and in a filename and path of your choice.
โ๏ธ Can check for outdated SSL/TLS protocols and vulnerabilities: requires the amazing testssl.sh.
โ๏ธ Can provide brief and detailed analysis along with HTTP response headers.
โ๏ธ Can use proxies for the analysis.
โ๏ธ Allows specifying custom HTTP request headers.
โ๏ธ Can output only analysis summary, totals and grade as JSON; suitable for CI/CD.
โ๏ธ Print browser support for enabled HTTP security headers, with data from Can I use.
โ๏ธ Highlights experimental headers in each analysis.
โ๏ธ Provides hundreds of relevant links to security resources, standards and technical blogs based on each analysis.
โ๏ธ Supports displaying analysis, messages, and most errors in English or Spanish.
โ๏ธ Saves each analysis, highlighting improvements or deficiencies compared to the previous one.
โ๏ธ Can display analysis statistics for a specific URL or across all of them.
โ๏ธ Can display fingerprint statistics for a specific term or the Top 20.
โ๏ธ Can display guidelines for enabling security HTTP response headers on popular frameworks, servers, and services.
โ๏ธ Provides basic unit tests to verify compatibility with your environment; requires pytest and pytest-cov.
โ๏ธ Classes and functions documented at Read the Docs.
โ๏ธ Code reviewed via Bandit, Flake8, pyinstrument, SonarQube for IDE and Sourcery.
โ๏ธ Tested, one by one, on thousands of URLs.
โ๏ธ Tested on Docker 26.1, Kali Linux 2021.1, macOS 14.2.1 and Windows 10 20H2.
โ๏ธ Almost all the code available under one of the most permissive licenses: MIT.
โ๏ธ Regularly updated.
โ๏ธ Minimal dependencies required.
โ๏ธ Developed entirely in my spare time, no strings attached: feel free to try it out and integrate it into your projects!.
โ๏ธ And with the approval of several AI ๐!.
.: (Windows) - Brief analysis.
.: (Linux) - Brief analysis along with HTTP response headers.
.: (Linux) - Detailed analysis, in Spanish.
.: (Linux) - Analysis of a raw response file. Example.
Tip
Generating a raw response file; requires curl 8.16 or higher:
curl --dump-header github_input_file.txt https://github.com --out-null -s
.: (Linux) - SSL/TLS checks.
Tip
testssl.sh options used:
- -f: checks robust forward secrecy key exchange
- -g: checks several server implementation bugs
- -p: checks the availability of SSL/TLS protocols
- -U: tests all vulnerabilities, like Heartbleed, ROBOT and sweet32
- -s: tests lists of cipher suites/categories by strength
- -hints: (available in the future) give hints how to fix a finding
.: (Linux) - Custom HTTP request header.
.: (Linux) - Compliance with OWASP 'Secure Headers Project' best practices.
.: (Windows) - JSON summary of the analysis, suitable for CI/CD.
.: (Linux) - List of HTTP fingerprint headers based on a specific term.
.: (Windows) - Guidelines for enabling security HTTP response headers.
.: (Linux) - Brief analysis saved as CSV. Example.
.: (Windows) - Detailed analysis saved as PDF. Example.
.: (Linux) - Detailed analysis saved as HTML. Example.
.: (Linux) - Detailed analysis saved as JSON. Example.
.: (Linux) - Detailed analysis saved as XLSX. Example.
.: (Linux) - Brief analysis saved as XML. Example.
.: (Linux) - Analysis history file: Date, URL, Enabled, Missing, Fingerprint, Deprecated/Insecure, Empty headers & Total warnings (the four previous totals).
.: (Linux) - Statistics of the analysis performed against a specific URL.
.: (Linux) - Statistics of the analysis performed against all URLs, in Spanish.
.: (Windows) - Checking for updates
Note
Python 3.11 or higher is required.
# Install python3 and python3-pip:
# (Windows) https://www.python.org/downloads/windows/
# (Linux) if not available, install them: e.g. Synaptic, apt, dnf, yum ...
# (macOS) https://www.python.org/downloads/macos/
# Install Git:
# (Windows) https://git-scm.com/download/win
# (Linux) https://git-scm.com/download/linux
# (macOS) https://git-scm.com/download/mac
# Set up a virtual environment (pending how to do it in Windows), download 'humble' and its dependencies
# '/home/bluesman/humble_venv' is a example path for the virtual environment
$ python3 -m venv /home/bluesman/humble_venv
$ source /home/bluesman/humble_venv/bin/activate
$ cd /home/bluesman/humble_venv/
$ git clone https://github.com/rfc-st/humble.git
$ cd humble
$ pip3 install -r requirements.txt
# Analyze! :). Linux and Windows examples
$ python3 humble.py -u https://google.com
$ py humble.py -u https://google.com
# Good practice: deactivate the virtual environment after you have finished using 'humble'
$ deactivate
# Activate the virtual environment to analyze again with 'humble'
$ cd /home/bluesman/humble_venv/
$ source /home/bluesman/humble_venv/bin/activate
$ cd humble
# Updating 'humble' (weekly): activate the virtual environment and from 'humble' folder
$ git pull
# Updating 'humble' (Release): activate the virtual environment, download the latest source code file
# and decompress it in the 'humble' folder, overwriting files
https://github.com/rfc-st/humble/releasesNote
Python 3.11 will be used to build the image.
# Install Docker and ensure it is running:
# E.g. (Linux): https://www.kali.org/docs/containers/installing-docker-on-kali/
# E.g. (macOs): https://docs.docker.com/desktop/install/mac-install/
# E.g. (Windows): https://docs.docker.com/desktop/install/windows-install/
# Clone the repository or download the latest release
$ git clone https://github.com/rfc-st/humble.git
https://github.com/rfc-st/humble/releases
# Build the Docker image inside the 'humble' folder: providing the TAG as the latest Release of 'humble' (e.g. 1.56)
# https://github.com/rfc-st/humble/releases (On Windows, this may require running the terminal with admin privileges)
$ docker build -t humble:1.56 .
# Run the analysis specifying the above TAG, along with the specific options for 'humble':
# '-it', required: allocate a pseudo-TTY and keep input interactive.
# '-rm', required: automatically remove the container after it exits.
# (Linux/macOS)
# E.g. Analyze https://google.com (brief analysis)
$ docker run -it --rm --name humble humble:1.56 /bin/bash -c "python3 humble.py -u https://google.com -b"
# (Windows)
# E.g. Analyze https://google.com (detailed analysis)
$ docker run -it --rm --name humble humble:1.56 python3 humble.py -u https://google.com
# (Optional) Remove and untag the previous 'humble' image after upgrading
$ docker rmi humble:1.56Note
Python 3.11 or higher is required.
# Verify that the output contains 'Homepage: https://github.com/rfc-st/humble'
$ apt show humble
# Install 'humble'
$ sudo apt install humble
# Analyze! :)
$ humble -u https://google.com
# Updating 'humble' (monthly)
$ sudo apt update
$ sudo apt install --only-upgrade humble(Windows) $ py humble.py
(Linux) $ python3 humble.py
(macOS) $ python3 humble.py
usage: humble.py [-h] [-a] [-b] [-c] [-cicd] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-grd] [-H REQUEST_HEADER] [-if INPUT_FILE] [-l {es}] [-lic]
[-o {csv,html,json,pdf,txt,xlsx,xml}] [-of OUTPUT_FILE] [-op OUTPUT_PATH] [-p PROXY] [-r] [-s [SKIP_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]
'humble' (HTTP Headers Analyzer) | https://github.com/rfc-st/humble | v.2025-12-06
options:
-h, --help show this help message and exit
-a Print statistics of the performed analysis; if the '-u' parameter is omitted they will be global
-b Print overall findings; if omitted detailed ones will be printed
-c Checks URL response HTTP headers for compliance with OWASP 'Secure Headers Project' best practices
-cicd Print only analysis summary, totals and grade in JSON; suitable for CI/CD
-df Do not follow redirects; if omitted the last redirection will be the one analyzed
-e [TESTSSL_PATH] Print only TLS/SSL checks; requires the PATH of testssl (https://testssl.sh/)
-f [FINGERPRINT_TERM] Print fingerprint statistics; if 'FINGERPRINT_TERM' (E.g., 'Google') is omitted the top 20 results will be printed
-g Print guidelines for enabling security HTTP response headers on popular frameworks, servers and services
-grd Print the checks to grade an analysis, along with advice for improvement
-H REQUEST_HEADER Adds REQUEST_HEADER to the request; must be in double quotes and can be used multiple times, e.g. -H "Host: example.com"
-if INPUT_FILE Analyzes 'INPUT_FILE': must contain HTTP response headers and values separated by ': '; E.g., 'server: nginx'
-l {es} Defines the language for displaying analysis, errors and messages; if omitted, will be printed in English
-lic Print the license for 'humble', along with permissions, limitations and conditions
-o {csv,html,json,pdf,txt,xlsx,xml} Exports analysis to 'humble_scheme_URL_port_yyyymmdd_hhmmss_language.ext' file
-of OUTPUT_FILE Exports analysis to 'OUTPUT_FILE'; if omitted the default filename of the parameter '-o' will be used
-op OUTPUT_PATH Exports analysis to 'OUTPUT_PATH'; must be absolute. If omitted the PATH of 'humble.py' will be used
-p PROXY Use a proxy for the analysis. E.g., 'http://127.0.0.1:8080'. If no port is specified '8080' will be used
-r Print HTTP response headers and a detailed analysis; '-b' parameter will take priority
-s [SKIP_HEADERS ...] Skips 'deprecated/insecure' and 'missing' checks for the indicated 'SKIP_HEADERS' (separated by spaces)
-u URL Scheme, host and port to analyze. E.g., https://google.com or https://google.com:443
-ua USER_AGENT User-Agent ID from 'additional/user_agents.txt' file to use. '0' will print all and '1' is the default
-v, --version Checks for updates at https://github.com/rfc-st/humble
examples:
-u URL -a Print statistics of the analysis performed against the URL
-u URL -b Analyzes the URL and prints overall findings
-u URL -b -o csv Analyzes the URL and exports overall findings to CSV format
-u URL -l es Analyzes the URL and prints (in Spanish) detailed findings
-u URL -o pdf Analyzes the URL and exports detailed findings to PDF format
-u URL -o html -of test Analyzes the URL and exports detailed findings to HTML format and 'test' filename
-u URL -o pdf -op D:/Tests Analyzes the URL and exports detailed findings to PDF format and 'D:/Tests' path
-u URL -p http://127.0.0.1:8080 Analyzes the URL using 'http://127.0.0.1:8080' as the proxy
-u URL -r Analyzes the URL and prints detailed findings along with HTTP response headers
-u URL -s ETag NEL Analyzes the URL and skips 'deprecated/insecure' and 'missing' checks for 'ETag' and 'NEL' headers
-u URL -ua 4 Analyzes the URL using the fourth User-Agent of 'additional/user_agents.txt' file
-a -l es Print statistics (in Spanish) of the analysis performed against all URLs
-f Google Print HTTP fingerprint headers related to the term 'Google'
want to contribute?:
How to https://github.com/rfc-st/humble/blob/master/CONTRIBUTING.md
References (classes and functions) https://humble.readthedocs.io/en/latest/references.html
Acknowledgements https://github.com/rfc-st/humble/#acknowledgements.: Show only the deprecated headers/protocols and insecure values.
$ python3 humble.py -u https://en.wikipedia.org/ | sed -n '/\[4/,/^\[5/ { /^\[5/!p }' | sed '$d' | sed $'1i \n'
.: Check for HTTP client errors (4XX).
$ python3 humble.py -u https://my.prelude.software/demo/index.pl | grep -A1 -B5 'Note : \|Nota : ' --color=never
.: Analyze multiple URLs and save the results as PDFs; thanks Eduardo for this example!.
$ datasets=('https://facebook.com' 'https://github.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done
Important
Before running unit tests and code coverage, make sure the tests directory has permission to create and delete files and folders; both functionalities require it.
.: (Linux) - All tests passed successfully (showing all messages in English).
$ cd <humble dir>
$ cd tests
$ python test_basic.py -l en
.: (Linux) - Code coverage (for now, it only works on Linux).
$ cd <humble dir>
$ cd tests
$ pytest test_basic.py --cov-config=.coveragerc --cov=.. --cov-report=html --tb=no -rA -q -v -W ignore
$ cd humble_coverage_report
Open the index.html file in a browser.
Note
After reviewing the code coverage you can delete all files and folders from the tests directory except for the .coveragerc, analysis_h.txt, headers_test_all.txt and test_basic.py files: if these files are deleted, the tests will fail.
Tip
pytest and pytest-cov parameters:
- --cov-config=.coveragerc: Specifies the coverage configuration file
- --cov=..: Specifies what code to measure coverage for
- --cov-report=html: Defines the coverage report format
- --tb=no: Does not show tracebacks for failed tests
- -rA: Show all extra test summary info
- -q: Quiet mode (during the analysis)
- -v: Verbose mode (after the analysis)
- -W ignore: Ignore all warnings during test execution
Check this file.
Check this file.
Check this file.
Check this file.
Note
humble tries to be strict: both in checking HTTP response headers and their values; some of these headers may be experimental and you may not agree with all the results after analysis.
And that's OK! ๐; you should never blindly trust the results of security tools: there should be further work to decide whether the risk is non-existent, potential or real depending on the analyzed URL (its exposure, environment, etc).
Any HTTP response header.
- Amazon Web Services
- Angular
- Apache HTTP Server
- Cloudflare
- LiteSpeed Web Server
- Microsoft Internet Information Services
- Nginx
- Node.js
- Spring
- WordPress
- Add more Header/Value checks (only security-oriented)
-
Web browsers' experimental features, roadmaps, technology previews and trials:
Google Chrome
Microsoft Edge
Mozilla Firefox
Opera
Safari -
Similar tools on GitHub:
'HTTP Headers Analyze'
'HTTP Headers Secure'
'HTTP Headers Security'
OWASP Secure Headers Project -
References and standards:
Can I use?
Mozilla Developer Network
World Wide Web Consortium -
Additional information:
Common response headers
Security Headers (HTTP response header analyzer)
Scott Helme (Security Researcher)
- Read this first!.
- Report a Bug.
- Create a Feature request.
- Report a Security Vulnerability.
- Send me your suggestions: rafael.fcucalon@gmail.com
- Or use that email to tell me about integrations of this tool in others!
- And to recommend me a good Blues! ๐
Thanks for downloading 'humble', for trying it and for your time!.
- Bandit, colorama, Flake8, fpdf2, pyinstrument, pytest, pytest-cov, requests, Radon, requests, SonarQube for IDE, Sourcery, testssl.sh, tldextract and xlsxwriter authors/teams: you rock ๐ค!.
- 1nabillion for this.
- Aniket Navlur for this gem.
- Azathothas for reporting this bug.
- bulaktm for this suggestion.
- confuciussayuhm for this suggestion.
- cr4zyfish for some of these suggestions.
- danterolle for this.
- David for believing in the usefulness of this tool.
- Eduardo for the first Demo and the example "(Linux) - Analyze multiple URLs and save the results as PDFs".
- gl4nce for this suggestion.
- ฤฐDRฤฐS BUDAK for reporting the need to this check.
- ilLuSion-007 for this.
- javelinsoft for this.
- Julio for testing on macOS and for this suggestion.
- kazet for this suggestion.
- manuel-sommer for this, this and this!.
- mfabbri for this.
- mgrottenthaler for this and this.
- MikeAnast for several suggestions.
- multipartninja for this and this.
- n3bojs4, ehlewis and dkadev for this and this.
- Sophie Brun for keeping 'humble' updated in Kali Linux and for this.
- stanley101music for this, this and this!.
- vincentcox for this and this.
MIT ยฉ 2020-2025 Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)
Original Creator - Rafa 'Bluesman' Faura (rafael.fcucalon@gmail.com)
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}
