Script http-security-headers

Script types: portrule
Categories: discovery, safe

Script Summary

Checks for the HTTP response headers related to security given in OWASP Secure Headers Project and gives a brief description of the header and its configuration value.

The script requests the server for the header with http.head and parses it to list headers founds with their configurations. The script checks for HSTS(HTTP Strict Transport Security), HPKP(HTTP Public Key Pins), X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, Content-Security-Policy, X-Permitted-Cross-Domain-Policies, Set-Cookie, Expect-CT, Cache-Control, Pragma and Expires.


Script Arguments


The URL path to request. The default path is "/".


See the documentation for the slaxml library., http.max-body-size, http.max-cache-size, http.max-pipeline, http.pipeline, http.truncated-ok, http.useragent

See the documentation for the http library.

smbdomain, smbhash, smbnoguest, smbpassword, smbtype, smbusername

See the documentation for the smbauth library.

Example Usage

nmap -p <port> --script http-security-headers <target>

Script Output

80/tcp open  http    syn-ack
| http-security-headers:
|   Strict_Transport_Security:
|     Header: Strict-Transport-Security: max-age=15552000; preload
|   Public_Key_Pins_Report_Only:
|     Header: Public-Key-Pins-Report-Only: max-age=500; pin-sha256="WoiWRyIOVNa9ihaBciRSC7XHjliYS9VwUGOIud4PB18="; pin-sha256="r/mIkG3eEpVdm+u/ko/cwxzOMo1bk4TyHIlByibiA5E="; pin-sha256="q4PO2G2cbkZhZ82+JgmRUyGMoAeozA+BSXVXQWB8XWQ="; report-uri=""
|   X_Frame_Options:
|     Header: X-Frame-Options: DENY
|     Description: The browser must not display this content in any frame.
|   X_XSS_Protection:
|     Header: X-XSS-Protection: 0
|     Description: The XSS filter is disabled.
|   X_Content_Type_Options:
|     Header: X-Content-Type-Options: nosniff
|     Will prevent the browser from MIME-sniffing a response away from the declared content-type.
|   Content-Security-Policy:
|     Header: Content-Security-Policy: script-src 'self'
|     Description: Loading policy for all resources type in case of a resource type dedicated directive is not defined (fallback).
|   X-Permitted-Cross-Domain-Policies:
|     Header: X-Permitted-Cross-Domain-Policies: none
|     Description : No policy files are allowed anywhere on the target server, including this master policy file.
|   Cache_Control:
|     Header: Cache-Control: private, no-cache, no-store, must-revalidate
|   Pragma:
|     Header: Pragma: no-cache
|   Expires:
|_    Header: Expires: Sat, 01 Jan 2000 00:00:00 GMT



  • Icaro Torres
  • Vinamra Bhatia

License: Same as Nmap--See