速報APP / 工具 / SecHeaders

SecHeaders

價格:免費

更新日期:2015-06-06

檔案大小:1.3M

目前版本:1.0

版本需求:Android 4.1 以上版本

官方網站:http://rambou.gr

Email:nickos.bou@gmail.com

聯絡地址:Καρλόβασι, Σάμος 83200

SecHeaders(圖1)-速報App

An app that takes as an input some websites and then gathers, filter, visualize and generate statistics of their Security Headers. It's started as a mini-project for the course of "Mobile and Wireless Networks Security" at the Department of Information & Communication Systems Engineering, University of Aegean. So don't expect anything fancy lads. :bowtie: Also the project build with Android Studio IDE, if you want to you can import it to eclipse (needs to be converted).

The app will filter all headers to find the ones for security. Those will be filtered are 10 and mentioned above. :wink:

***Access Control Allow Origin - When Site A tries to fetch content from Site B, Site B can send an Access-Control Allow-Origin response header to tell the browser that the content of this page is accessible to certain origins.

***Content Security Policy (CSP) - Helps detect/prevent XSS, mixed-content, and other classes of attack. CSP 1.1 Specification.

***Cross Domain Meta Policy - Tells Flash and PDF files which Cross Domain Policy files found on your site can be obeyed; yes, it's a policy about other policies!

Server Information - Who has a need to know what type of server you're running?

***UTF-8 Character Encoding - Minimizing the likelihood that malicious character conversion could happen.

SecHeaders(圖2)-速報App

***X-Frame-Options (XFO) - Prevents your content from being framed and potentially clickjacked. X-Frame-Options draft.

***X-Powered-By - Who has a need to know what software version you're running?

***X-XSS-Protection - Cross site scripting heuristic filter for IE/Chrome.

***X-Content-Type-Options - Prevent content type sniffing "NoSniff".

***X-Download-Options - Prevent file downloads opening.

***HTTP Strict Transport Security (HSTS) - Ensures the browser never visits the http version of a website. Protects SSLStrip/Firesheep attacks. HSTS Specification

***Secure Cookies - Ensure that the server knows the client. Checking the use of Set-Cookie2 along to the insecure Set-Cookie.

***X-Pingback - Header for blogs, a url that allows other sites that link to that site/site's article to tell the site that it did link to that site. Before adding it, used for DDOS attacks.

P3P - Header for Platform for Privacy Preferences.