Home page logo
Zenmap screenshot
Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
Example Nmap output

File http-security-headers

Script types: portrule
Categories: discovery, safe
Download: https://svn.nmap.org/nmap/scripts/http-security-headers.nse

User Summary

Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.

The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The script checks for HSTS(HTTP Strict Transport Security), HPKP(HTTP Public Key Pins), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Permitted-Cross-Domain-Policies, Set-Cookie, Expect-CT, Cache-Control, Pragma and Expires.

References: https://www.owasp.org/index.php/OWASP_Secure_Headers_Project https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers

Script Arguments


The URL path to request. The default path is "/".


See the documentation for the slaxml library.

http.host, http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p <port> --script http-security-headers <target>

Script Output

80/tcp open  http    syn-ack
| http-security-headers:
|   Strict_Transport_Security:
|     Header: Strict-Transport-Security: max-age=15552000; preload
|   Public_Key_Pins_Report_Only:
|     Header: Public-Key-Pins-Report-Only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri="http://reports.fb.com/hpkp/"
|   X_Frame_Options:
|     Header: X-Frame-Options: DENY
|     Description: The browser must not display this content in any frame.
|   X_XSS_Protection:
|     Header: X-XSS-Protection: 0
|     Description: The XSS filter is disabled.
|   X_Content_Type_Options:
|     Header: X-Content-Type-Options: nosniff
|     Will prevent the browser from MIME-sniffing a response away from the declared content-type.
|   Content-Security-Policy:
|     Header: Content-Security-Policy: script-src 'self'
|     Description: Loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback).
|   X-Permitted-Cross-Domain-Policies:
|     Header: X-Permitted-Cross-Domain-Policies: none
|     Description : No policy files are allowed anywhere on the target server, including this master policy file.
|   Cache_Control:
|     Header: Cache-Control: private, no-cache, no-store, must-revalidate
|   Pragma:
|     Header: Pragma: no-cache
|   Expires:
|_    Header: Expires: Sat, 01 Jan 2000 00:00:00 GMT



  • Icaro Torres
  • Vinamra Bhatia

License: Same as Nmap--See https://nmap.org/book/man-legal.html

Nmap Site Navigation

Intro Reference Guide Book Install Guide
Download Changelog Zenmap GUI Docs
Bug Reports OS Detection Propaganda Related Projects
In the Movies In the News
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]