GitHub - rfc-st/humble: A humble, and 𝗳𝗮𝘀𝘁, security-oriented HTTP headers analyzer.

A humble, and fast, security-oriented HTTP headers analyzer

Tip

Generating a raw response file; requires curl 8.16 or higher:

curl --dump-header github_input_file.txt https://github.com --out-null -s

Tip

testssl.sh options used:

• -f: checks robust forward secrecy key exchange
• -g: checks several server implementation bugs
• -p: checks the availability of SSL/TLS protocols
• -U: tests all vulnerabilities, like Heartbleed, ROBOT and sweet32
• -s: tests lists of cipher suites/categories by strength
• -hints: (available in the future) give hints how to fix a finding

Note

Python 3.11 or higher is required.

# Install python3 and python3-pip:
# (Windows) https://www.python.org/downloads/windows/
# (Linux) if not available, install them: e.g. Synaptic, apt, dnf, yum ...
# (macOS) https://www.python.org/downloads/macos/

# Install Git:
# (Windows) https://git-scm.com/download/win
# (Linux) https://git-scm.com/download/linux
# (macOS) https://git-scm.com/download/mac

# Set up a virtual environment (pending how to do it in Windows), download 'humble' and its dependencies
# '/home/bluesman/humble_venv' is a example path for the virtual environment
$ python3 -m venv /home/bluesman/humble_venv
$ source /home/bluesman/humble_venv/bin/activate
$ cd /home/bluesman/humble_venv/
$ git clone https://github.com/rfc-st/humble.git
$ cd humble
$ pip3 install -r requirements.txt

# Analyze! :). Linux and Windows examples
$ python3 humble.py -u https://google.com
$ py humble.py -u https://google.com

# Good practice: deactivate the virtual environment after you have finished using 'humble'
$ deactivate

# Activate the virtual environment to analyze again with 'humble'
$ cd /home/bluesman/humble_venv/
$ source /home/bluesman/humble_venv/bin/activate
$ cd humble

# Updating 'humble' (weekly): activate the virtual environment and from 'humble' folder
$ git pull

# Updating 'humble' (Release): activate the virtual environment, download the latest source code file
# and decompress it in the 'humble' folder, overwriting files
https://github.com/rfc-st/humble/releases

Note

Python 3.11 will be used to build the image.

# Install Docker and ensure it is running:
# E.g. (Linux): https://www.kali.org/docs/containers/installing-docker-on-kali/
# E.g. (macOs): https://docs.docker.com/desktop/install/mac-install/
# E.g. (Windows): https://docs.docker.com/desktop/install/windows-install/

# Clone the repository or download the latest release
$ git clone https://github.com/rfc-st/humble.git
https://github.com/rfc-st/humble/releases

# Build the Docker image inside the 'humble' folder: providing the TAG as the latest Release of 'humble' (e.g. 1.58)
# https://github.com/rfc-st/humble/releases (On Windows, this may require running the terminal with admin privileges)
$ docker build -t humble:1.58 .

# Run the analysis specifying the above TAG, along with the specific options for 'humble':
# '-it', required: allocate a pseudo-TTY and keep input interactive.
# '-rm', required: automatically remove the container after it exits.

# (Linux/macOS)
# E.g. Analyze https://google.com (brief analysis)
$ docker run -it --rm --name humble humble:1.58 /bin/bash -c "python3 humble.py -u https://google.com -b"

# (Windows)
# E.g. Analyze https://google.com (detailed analysis)
$ docker run -it --rm --name humble humble:1.58 python3 humble.py -u https://google.coms

# (Optional) Remove and untag the previous 'humble' image after upgrading
$ docker rmi humble:1.58

Note

Python 3.11 or higher is required.

# Verify that the output contains 'Homepage: https://github.com/rfc-st/humble'
$ apt show humble

# Install 'humble'
$ sudo apt install humble

# Analyze! :)
$ humble -u https://google.com

# Updating 'humble' (monthly)
$ sudo apt update
$ sudo apt install --only-upgrade humble

(Windows) $ py humble.py
(Linux)   $ python3 humble.py
(macOS)   $ python3 humble.py

usage: humble.py [-h] [-a] [-b] [-c] [-cicd] [-df] [-e [TESTSSL_PATH]] [-f [FINGERPRINT_TERM]] [-g] [-grd] [-H REQUEST_HEADER] [-if INPUT_FILE] [-l {es}] [-lic]
                 [-o {all,csv,html,json,pdf,txt,xlsx,xml}] [-of OUTPUT_FILE] [-op OUTPUT_PATH] [-p PROXY] [-r] [-s [SKIP_HEADERS ...]] [-u URL] [-ua USER_AGENT] [-v]

'humble' (HTTP Headers Analyzer) | https://github.com/rfc-st/humble | v.2026-03-13

options:
  -h, --help                               show this help message and exit
  -a                                       Print statistics of the performed analysis; if the '-u' parameter is omitted they will be global
  -b                                       Print overall findings; if omitted detailed ones will be printed
  -c                                       Checks URL response HTTP headers for compliance with OWASP 'Secure Headers Project' best practices
  -cicd                                    Print only analysis summary, totals and grade in JSON; suitable for CI/CD
  -df                                      Do not follow redirects; if omitted the last redirection will be the one analyzed
  -e [TESTSSL_PATH]                        Print only TLS/SSL checks; requires the PATH of testssl (https://testssl.sh/)
  -f [FINGERPRINT_TERM]                    Print fingerprint statistics; if 'FINGERPRINT_TERM' (E.g., 'Google') is omitted the top 20 results will be printed
  -g                                       Print guidelines for enabling security HTTP response headers on popular frameworks, servers and services
  -grd                                     Print the checks to grade an analysis, along with advice for improvement
  -H REQUEST_HEADER                        Adds REQUEST_HEADER to the request; must be in double quotes and can be used multiple times, e.g. -H "Host: example.com"
  -if INPUT_FILE                           Analyzes 'INPUT_FILE': must contain HTTP response headers and values separated by ': '; E.g., 'server: nginx'
  -l {es}                                  Defines the language for displaying analysis, errors and messages; if omitted, will be printed in English
  -lic                                     Print the license for 'humble', along with permissions, limitations and conditions
  -o {all,csv,html,json,pdf,txt,xlsx,xml}  Export the analysis to the specified format; 'all' will export to all formats
  -of OUTPUT_FILE                          Exports analysis to 'OUTPUT_FILE'; if omitted the default filename of the parameter '-o' will be used
  -op OUTPUT_PATH                          Exports analysis to 'OUTPUT_PATH'; must be absolute. If omitted the PATH of 'humble.py' will be used
  -p PROXY                                 Use a proxy for the analysis. E.g., 'http://127.0.0.1:8080'. If no port is specified '8080' will be used
  -r                                       Print HTTP response headers and a detailed analysis; '-b' parameter will take priority
  -s [SKIP_HEADERS ...]                    Skips 'deprecated/insecure' and 'missing' checks for the indicated 'SKIP_HEADERS' (separated by spaces)
  -u URL                                   Scheme, host and port to analyze. E.g., https://google.com or https://google.com:443
  -ua USER_AGENT                           User-Agent ID from 'additional/user_agents.txt' file to use. '0' will print all and '1' is the default
  -v, --version                            Checks for updates at https://github.com/rfc-st/humble

examples:
  -u URL -a                            Print statistics of the analysis performed against the URL
  -u URL -b                            Analyzes the URL and prints overall findings
  -u URL -b -o csv                     Analyzes the URL and exports overall findings to CSV format
  -u URL -l es                         Analyzes the URL and prints (in Spanish) detailed findings
  -u URL -o pdf                        Analyzes the URL and exports detailed findings to PDF format
  -u URL -o html -of test              Analyzes the URL and exports detailed findings to HTML format and 'test' filename
  -u URL -o pdf -op D:/Tests           Analyzes the URL and exports detailed findings to PDF format and 'D:/Tests' path
  -u URL -p http://127.0.0.1:8080      Analyzes the URL using 'http://127.0.0.1:8080' as the proxy
  -u URL -r                            Analyzes the URL and prints detailed findings along with HTTP response headers
  -u URL -s ETag NEL                   Analyzes the URL and skips 'deprecated/insecure' and 'missing' checks for 'ETag' and 'NEL' headers
  -u URL -ua 4                         Analyzes the URL using the fourth User-Agent of 'additional/user_agents.txt' file
  -a -l es                             Print statistics (in Spanish) of the analysis performed against all URLs
  -f Google                            Print HTTP fingerprint headers related to the term 'Google'

want to contribute?:
  How to                               https://github.com/rfc-st/humble/blob/master/CONTRIBUTING.md
  Acknowledgements                     https://github.com/rfc-st/humble/#acknowledgements
  References and unit tests            https://humble.readthedocs.io

$ python3 humble.py -u https://en.wikipedia.org/ | sed -n '/\[4/,/^\[5/ { /^\[5/!p }' | sed '$d' | sed $'1i \n'

$ python3 humble.py -u https://my.prelude.software/demo/index.pl | grep -A1 -B5 'Note : \|Nota : ' --color=never

$ datasets=('https://facebook.com' 'https://github.com' 'https://www.spacex.com'); for dataset in "${datasets[@]}"; do python3 humble.py -u "$dataset" -o pdf; done

$ cd <humble dir>
$ cd tests
(Linux)   $ python test_humble.py -l en
(Windows) $ py test_humble.py -l en

$ cd <humble dir>
$ cd tests
$ pytest test_humble.py --cov-config=.coveragerc --cov=.. --cov-report=html --tb=no -rA -q -v -W ignore -p no:cacheprovider
$ cd humble_coverage_report
Open the index.html file in a browser.

Important

After reviewing the code coverage, you can delete the following items from the tests directory keeping the rest:

• humble_coverage_report folder
• .coverage file

Tip

Parameters used in pytest and pytest-cov:

• --cov-config=.coveragerc: Specifies the coverage configuration file
• --cov=..: Specifies what code to measure coverage for
• --cov-report=html: Defines the coverage report format
• --tb=no: Does not show tracebacks for failed tests
• -rA: Show all extra test summary info
• -q: Quiet mode (during the analysis)
• -v: Verbose mode (after the analysis)
• -W ignore: Ignore all warnings during test execution
• --p no:cacheprovider: Prevents creation of .pytest_cache

Note

humble tries to be strict: both in checking HTTP response headers and their values; some of these headers may be experimental and you may not agree with all the results after analysis.

And that's OK! 😃; you should never blindly trust the results of security tools: there should be further work to decide whether the risk is non-existent, potential or real depending on the analyzed URL (its exposure, environment, etc).