Overview
humble is a command-line utility that analyzes HTTP response headers and identifies security misconfigurations. It checks for the presence and correctness of critical security headers like Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and others. The tool provides detailed guidance on remediation and best practices for securing HTTP header configurations.
humble is particularly useful during vulnerability assessments to quickly identify missing or misconfigured security headers across multiple targets, making it an essential tool for web application security testing.
Installation
# Kali Linux (pre-installed)
humble --version
# Using pip
pip3 install humble
# From source
git clone https://github.com/rfc-st/humble
cd humble
python3 -m pip install -r requirements.txt
python3 setup.py install
# Verify installation
which humble
Basic Usage
Command Syntax
humble [options] <url>
| Command | Description |
|---|
humble http://example.com | Analyze headers for single URL |
humble https://example.com | Analyze HTTPS URL |
humble -h | Display help information |
humble --version | Show version number |
Basic Examples
# Analyze single website
humble http://example.com
# Analyze HTTPS endpoint
humble https://api.example.com
# Analyze with verbose output
humble -v http://example.com
# Analyze multiple URLs
humble http://example.com https://api.example.com
Common Options
Output and Verbosity
| Option | Description | Example |
|---|
-v | Verbose output | humble -v http://example.com |
-j | JSON output format | humble -j http://example.com |
-r | Report format | humble -r http://example.com |
--no-color | Disable colored output | humble --no-color http://example.com |
Request Configuration
| Option | Description | Example |
|---|
-c | Custom cookie | humble -c "name=value" http://example.com |
-H | Custom header | humble -H "User-Agent: Custom" http://example.com |
-p | Proxy address | humble -p http://127.0.0.1:8080 http://example.com |
-t | Request timeout | humble -t 30 http://example.com |
Analysis Options
| Option | Description | Example |
|---|
-a | All tests | humble -a http://example.com |
--csp | Check CSP headers | humble --csp http://example.com |
--hsts | Check HSTS headers | humble --hsts http://example.com |
--cors | Check CORS headers | humble --cors http://example.com |
# Analyze Strict-Transport-Security
humble --hsts https://example.com
# Check Content-Security-Policy
humble --csp http://example.com
# Analyze X-Frame-Options
humble --xfo http://example.com
# Full security header analysis
humble -a https://example.com
# Comprehensive header inspection with verbose output
humble -v -a https://example.com
# JSON output for programmatic analysis
humble -j https://example.com > headers.json
# Report mode for documentation
humble -r https://example.com > security_report.txt
Advanced Usage
Bulk URL Analysis
# Create URL list
cat > urls.txt << EOF
http://example.com
http://subdomain.example.com
https://api.example.com
https://admin.example.com
EOF
# Analyze each URL
while read url; do
echo "=== $url ==="
humble -j "$url"
done < urls.txt > all_headers.json
# Test with custom authentication
humble -H "Authorization: Bearer token123" https://api.example.com
# Test with custom headers
humble \
-H "X-Custom-Header: value" \
-H "X-API-Key: secret" \
https://api.example.com
Proxy-Based Testing
# Analyze through proxy
humble -p http://127.0.0.1:8080 http://example.com
# Test with Burp Suite
humble -p http://127.0.0.1:8080 http://internal-app.local
# Multiple proxies for load balancer testing
for proxy in 127.0.0.1:8080 127.0.0.1:8081; do
humble -p http://$proxy http://example.com
done
Content Security Policy (CSP)
# Detailed CSP analysis
humble --csp http://example.com
# CSP with verbose output
humble -v --csp https://example.com
# Common CSP issues identified:
# - Missing CSP header
# - Overly permissive directives
# - Deprecated values
# - Wildcard usage
HSTS (Strict-Transport-Security)
# Check HSTS configuration
humble --hsts https://example.com
# Identifies:
# - Missing HSTS header
# - Short max-age values
# - Missing includeSubDomains
# - Missing preload directive
X-Frame-Options (Clickjacking)
# Analyze clickjacking protection
humble --xfo http://example.com
# Checks for:
# - DENY value
# - SAMEORIGIN value
# - Missing header
# - Misconfigured policies
# Full CORS analysis
humble --cors http://example.com
# Identifies:
# - Wildcard Access-Control-Allow-Origin
# - Missing Vary header
# - Overly permissive credentials
# - Invalid CORS directives
Reconnaissance Workflows
Web Application Security Assessment
# Enumerate all URLs and analyze headers
subfinder -d target.com -silent | httprobe | while read url; do
humble -j "$url" >> headers_report.json
done
# Parse results
jq . headers_report.json | less
API Security Analysis
# Discover API endpoints
curl -s https://api.target.com/swagger.json | jq '.paths | keys[]'
# Analyze each endpoint
curl -s https://api.target.com/swagger.json | jq -r '.paths | keys[]' | while read path; do
url="https://api.target.com$path"
humble -j "$url"
done
Bug Bounty Program Testing
# Comprehensive header security assessment
for domain in $(cat scope.txt); do
echo "Testing: $domain"
humble -v -a "https://$domain"
echo "---"
done > bug_bounty_headers.txt
# Extract issues
grep -i "warning\|error\|vulnerable" bug_bounty_headers.txt
Practical Examples
Example 1: Single URL Analysis
# Basic analysis
humble https://example.com
# Output includes:
# ✓ HSTS Header: Present
# ✗ CSP Header: Missing
# ✓ X-Frame-Options: DENY
# ⚠ X-Content-Type-Options: Warning
Example 2: JSON Report Generation
# Generate JSON output
humble -j https://target.com > header_analysis.json
# Format and view
jq . header_analysis.json
# Extract specific checks
jq '.checks[] | select(.status=="fail")' header_analysis.json
Example 3: Bulk Assessment
# Create target list
echo -e "https://app1.com\nhttps://app2.com\nhttps://app3.com" > targets.txt
# Analyze all targets
for url in $(cat targets.txt); do
echo "Scanning: $url"
humble -v "$url" >> bulk_analysis.txt
done
# Summary report
grep -E "✓|✗|⚠" bulk_analysis.txt | sort | uniq -c
Example 4: Vulnerability Identification
# Run comprehensive analysis
humble -a -j https://vulnerable-app.com > vuln_headers.json
# Extract failed checks
jq '.[] | select(.status=="fail") | .header' vuln_headers.json
# Generate remediation list
jq '.[] | select(.status=="fail") | "\(.header): \(.recommendation)"' vuln_headers.json
Common Findings and Fixes
# Missing HSTS
# Remediation:
# Add to web server:
# Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
# Missing CSP
# Remediation:
# Content-Security-Policy: default-src 'self'; script-src 'self'
# Missing X-Frame-Options
# Remediation:
# X-Frame-Options: DENY
# Missing X-Content-Type-Options
# Remediation:
# X-Content-Type-Options: nosniff
Burp Suite Integration
# Export from Burp and analyze
humble -p http://127.0.0.1:8080 http://example.com
# Intercept and modify requests
# Then run humble for header analysis
Scanning Multiple Endpoints
# Use with httpx for URL discovery
echo "https://example.com" | httpx -H "GET" | while read url; do
humble -j "$url"
done > comprehensive_headers.json
Automated Security Testing
# Pipe humble into analysis pipeline
for url in $(cat scope.txt); do
humble -j "$url" | jq '.[] | select(.status=="fail")'
done | tee failures.json
Standard Output
[*] Analyzing: https://example.com
[+] Status: 200 OK
[+] Server: nginx/1.18.0
Headers Analysis:
✓ HSTS: Present and valid
✗ CSP: Missing
✓ X-Frame-Options: DENY
⚠ X-Content-Type-Options: Missing
✗ Referrer-Policy: Missing
JSON Output
{
"url": "https://example.com",
"status": 200,
"checks": [
{
"header": "HSTS",
"status": "pass",
"message": "Header present"
},
{
"header": "CSP",
"status": "fail",
"recommendation": "Add Content-Security-Policy header"
}
]
}
Troubleshooting
| Issue | Solution |
|---|
| Connection timeout | Increase timeout: humble -t 60 http://example.com |
| SSL certificate error | Check certificate validity or use HTTP |
| Proxy errors | Verify proxy address and port |
| Empty results | Check URL accessibility and network connectivity |
| Header parsing fails | Try verbose mode: humble -v http://example.com |
Security Testing Best Practices
Assessment Checklist
- Analyze all in-scope URLs
- Test both HTTP and HTTPS endpoints
- Verify header consistency across endpoints
- Document all missing security headers
- Create remediation plan with priorities
- Retest after fixes are applied
Example Assessment Script
#!/bin/bash
# Security header assessment script
TARGET=$1
OUTPUT="header_assessment_$(date +%s).txt"
echo "Analyzing: $TARGET" | tee $OUTPUT
echo "Date: $(date)" | tee -a $OUTPUT
echo "---" | tee -a $OUTPUT
# Analyze target
humble -a -j "https://$TARGET" | tee -a $OUTPUT
# Extract findings
echo "FINDINGS:" | tee -a $OUTPUT
jq '.[] | select(.status=="fail") | .recommendation' $OUTPUT | tee -a $OUTPUT
echo "Report saved to: $OUTPUT"
Legal and Authorization
- Explicit Permission: Only analyze headers for systems you own or have written authorization to test
- Scope: Adhere to defined testing scope and boundaries
- Documentation: Keep detailed records of all assessments
- Remediation Tracking: Document and follow up on remediation efforts
- curl: HTTP client for header inspection
- nc/ncat: Manual HTTP testing
- Burp Suite: Professional web security testing
- OWASP ZAP: Automated web security scanning
- httpx: Fast HTTP probe and response capture
- sectoolkit: Security header checking tool
