How to Scan HTTP Security Headers and SSL Certificates Using Python

🔍 Introduction

Keeping your website secure starts with understanding how it's exposed. This Python script helps you analyze two major aspects of web security:

🚨 Missing HTTP Security Headers
🔒 SSL Certificate Details

With just a few lines of code, you can perform a quick scan of any website and identify potential weaknesses that hackers might exploit.

🔐 What Are Security Headers?

Security headers are HTTP response headers that provide browsers with information on how to behave securely when interacting with a site. The script checks for the following headers:

Content-Security-Policy -> Prevents XSS attacks
Strict-Transport-Security -> Enforces HTTPS connections
X-Content-Type-Options -> Blocks MIME type sniffing
X-Frame-Options -> Protects against clickjacking via iframes
X-XSS-Protection -> Enables browser XSS filters
Referer-Policy -> Controls how referrer information is sent
Permissions-Policy -> Restricts access to APIs (e.g., camera, mic)

💻 Python Code to Scan a Website

Below is the complete code:

import requests 
import ssl 
import socket 
from urllib.parse import urlparse 


SECURITY_HEADERS = [
    'Content-Security-Policy', # XSS
    'Strict-Transport-Security', # HTTPS
    'X-Content-Type-Options', # MIME-sniffing
    'X-Frame-Options', # clickjacking (iframe)
    'X-XSS-Protection', # XSS filter
    'Referer-Policy', # Referer control
    'Permissions-Policy' # Limit API: camera, mic, geolocation
]


def check_http_headers(url):
    try:
        response = requests.get(url, timeout=10)
        print(f"\n[+] HTTP Status Code: {response.status_code}")
        print(f"[+] Server Header: {response.headers.get('Server', 'N/A')}")

        print("\n[+] Checking Security Headers:")
        for header in SECURITY_HEADERS:
            if header in response.headers:
                print(f"  [✔] {header}: {response.headers[header]}")
            else:
                print(f"  [✘] {header}: Missing")
    except Exception as e:
        print(f"[!] Error checking headers: {e}")

    
def check_ssl_certificate(hostname):
    try:
        context = ssl.create_default_context()
        with socket.create_connection((hostname, 443)) as sock:
            with context.wrap_socket(sock, server_hostname=hostname) as ssock:
                cert = ssock.getpeercert()
                print(cert)
                print(f"\n[+] SSL Certificate Info:")
                print(f"  - Issuer: {cert['issuer']}") # cert org
                print(f"  - Subject: {cert['subject']}") # domain
                print(f"  - Valid From: {cert['notBefore']}") 
                print(f"  - Valid To: {cert['notAfter']}")
    except Exception as e:
        print(f"[!] Error checking SSL cert: {e}")



def run_scanner(target_url):
    print(f"\n==== Security Scanner Started ====\nTarget: {target_url}")
    parsed = urlparse(target_url)
    hostname = parsed.hostname or target_url.replace("http://", "").replace("https://", "")
    check_http_headers(target_url)
    check_ssl_certificate(hostname)
    print("\n==== Scan Completed ====\n")


if __name__ == '__main__':
    website = input("Enter website URL (e.g., https://example.com): ")
    run_scanner(website)

# pip install requests

📦 Requirements

pip install requests

📊 Example Output

⚠️ Important Notes

This script is for educational and internal security auditing purposes only.
Never scan domains without permission. Unauthorized scanning may be illegal.

How to Scan HTTP Security Headers and SSL Certificates Using Python

🔍 Introduction

🔐 What Are Security Headers?

💻 Python Code to Scan a Website

📦 Requirements

📊 Example Output

⚠️ Important Notes

Read Similars

Automated LAN Scanning with Nmap and Python – Exporting Results to JSON

How to Fingerprint a Device in Your Local Network Using Python

How to Scan Local Network for Active Devices Using Python and TCP SYN

How to Scan Devices in Your Local Network Using Python and ARP

Testing Common Django Security Vulnerabilities with Python Scripts