HEADY is a Python-based CLI tool for scanning HTTP response security headers. It detects missing headers, validates header configuration, assigns severity, and optionally exports reports for further analysis.
The tool is designed to run cleanly on Windows and Linux terminals.
- Command-line interface with banner and scan status
- Fetches HTTP(S) response headers
- Detects missing security headers
- Validates configuration of present headers
- Status per header:
- OK
- WARN
- FAIL
- MISSING
- Severity levels:
- HIGH
- MEDIUM
- LOW
- INFO
- Optional report export:
- Text
- CSV
- Excel
- Meaningful exit codes for automation and CI usage
- Strict-Transport-Security (HSTS)
- Content-Security-Policy (CSP)
- X-Content-Type-Options
- X-Frame-Options
- Referrer-Policy
- Permissions-Policy
- Cross-Origin-Resource-Policy (CORP)
- Cross-Origin-Opener-Policy (COOP)
- X-XSS-Protection (legacy, informational)
python -m pip install --upgrade pip
python -m pip install -r requirements.txt
heady https://example.com
Only one export format can be selected per run.
heady https://example.com -text
markdown Copy code
Creates:
shs_report_<hostname>.txt
heady https://example.com -csv
markdown Copy code
Creates:
shs_report_<hostname>.csv
heady https://example.com -excel
yaml Copy code
Creates:
shs_report_<hostname>.xlsx
Excel export requires:
- pandas
- openpyxl
-
0
All HIGH and MEDIUM severity headers are present and not marked FAIL. -
1
One or more HIGH or MEDIUM severity headers are MISSING or FAIL.
This makes HEADY suitable for CI/CD pipelines and automated security checks.
- HEADY analyzes HTTP response headers only.
- It does not inspect HTML meta tags, JavaScript, or browser runtime behavior.
- Results represent header-level security posture, not full application security.
MIT License