Tinfoil

Tinfoil is a command-line utility that scans a Web server externally to listen for its usage of HTTP secure headers. This utility will scan for the following secure headers:

• Strict-Transport-Security
• X-XSS-Protection
• X-Content-Type-Options
• X-Frame-Options
• Content-Security-Policy

Not all of these headers are required at all times, so you should use your best judgement when you see something is missing on your Web server. Best of all, you can selectively ignore the headers that you do not yet support.

Installation

Install it through RubyGems:

$ gem install tinfoil

Usage

Scan a single server

$ tinfoil www.example.com

Specifying the protocol, http:// or https://, is not required.

You can selectively ignore the secure headers or protocols that you do not want. For example, to ignore anything related to SSL or the Content-Security-Policy header:

$ tinfoil --ignore-https --ignore-csp --ignore-sts www.example.com

To view the other options available, you can use the --help argument.

Example

The following examples test the secure header support for the main Github.com website.

This checks both SSL and non-SSL versions of github.com. The tool shows that nothing is present on the non-SSL version (because it redirects) and then shows which headers are present on the SSL version.

greenhole:tinfoil scott$ bin/tinfoil github.com
protocol: http
protocol: https
headers:
        Strict-Transport-Security: exists
        X-XSS-Protection: exists
        X-Content-Type-Options: exists
        X-Frame-Options: exists
        Content-Security-Policy: exists

Since we only care about the SSL version of github.com, we tell tinfoil to ignore the non-SSL version.

greenhole:tinfoil scott$ bin/tinfoil --ignore-http github.com
protocol: https
headers:
        Strict-Transport-Security: exists
        X-XSS-Protection: exists
        X-Content-Type-Options: exists
        X-Frame-Options: exists
        Content-Security-Policy: exists

And, for kicks, we now tell tinfoil to ignore the Content-Security-Policy header for no good reason.

greenhole:tinfoil scott$ bin/tinfoil --ignore-http --ignore-csp github.com
protocol: https
headers:
        Strict-Transport-Security: exists
        X-XSS-Protection: exists
        X-Content-Type-Options: exists
        X-Frame-Options: exists
        Content-Security-Policy: ignored

Contributing

1. Fork it
2. Create your feature branch (git checkout -b my-new-feature)
3. Commit your changes (git commit -am 'Add some feature')
4. Push to the branch (git push origin my-new-feature)
5. Create new Pull Request

License

See LICENSE.txt for more information.