How to check website security headers in Python

Website security headers are HTTP response headers sent by web servers to instruct web browsers on handling security aspects when interacting with a website. These headers provide critical instructions to browsers to help mitigate common web vulnerabilitiesflaw or weakness in the security and protect the website and its visitors from threatsPotential events that can exploit vulnerabilities and vulnerabilities.

Security headers play a critical role in implementing best practices for web security. Here are some commonly used security headers:

• Content Security Policy (CSP): The CSP header specifies which sources of content (scripts, styles, images) are considered safe for a web page. It helps prevent cross-site scripting (XSS) attacks by blocking the execution of malicious scripts.

• X-Content-Type-Options: This header, with the nosniff value, prevents browsers from guessing the content type of a resource, reducing the risk of content sniffing attacksA browser incorrectly interprets the type of a file, potentially leading to security vulnerabilities..

• X-Frame-Options: It helps prevent clickjacking attacks by controlling if a web page can be displayed in an iframe. Common values include DENY, SAMEORIGIN, and ALLOW-FROM.

• X-XSS-Protection: This header enables or disables the built-in XSS filter in modern web browsers. It is used to prevent certain types of XSS attacks.

• HTTP Strict Transport Security (HSTS): HSTS headers ensure that a website is only accessed over HTTPS, helping to prevent man-in-the-middle (MitM) attacks by enforcing secure connections.

• Referrer-Policy: This header specifies how much information is included in the HTTP Referer headerContains the URL of the page that referred the user to the current page, helping to protect user privacy.

• Feature-Policy: This header defines which web platform features are allowed or denied, enhancing control over website functionality.

When appropriately configured, these security headers actively ensure a website’s security by establishing strict communication rules and preventing unauthorized access or manipulation of web content. We can write code to verify and assess a website’s security headers to enhance security.

Code

• Line 1: We import the requests library to make HTTP requests to web services, websites, and APIs.

• Lines 3–4: We define the check_security_headers(url) function and use a try/except block to handle unexpected errors.

• Line 5: We use a head method to send an HTTP HEAD request Retrieves only the headers of the resource without its body or contentto the given URL. We set the allow_redirects to True to instruct the requests library to follow any redirections specified in the HTTP response headers.

• Line 7: We assign the headers of an HTTP response to the headers variable using response.headers, which is an attribute of the HTTP response object containing the headers sent by the web server as part of the HTTP response.

• Lines 9–17: We specify the name of the security headers that we want to check.

• Lines 19–20: We display the complete set of HTTP response headers and their values.

• Line 22: We construct a missing_headers list using a list comprehension. It checks each item in the security_headers list and includes it in the missing_headers list if the item is not found in the headers list.

• Lines 24–27: We check if the missing_headers list is empty or not; if empty, it states that all the required security headers are in place; otherwise, it lists the names of missing headers.

• Lines 29–30: If an exception occurs during the execution of the code within the try block, we capture and print the error message.

• Lines 32–34: We set a url variable with the value, https://www.educative.io, and call a check_security_headers() function with the specified url as an argument to check the security headers of the website. Finally, we print the result returned by the function.