humble

Overview

humble is a command-line utility that analyzes HTTP response headers and identifies security misconfigurations. It checks for the presence and correctness of critical security headers like Content-Security-Policy, X-Frame-Options, Strict-Transport-Security, and others. The tool provides detailed guidance on remediation and best practices for securing HTTP header configurations.

humble is particularly useful during vulnerability assessments to quickly identify missing or misconfigured security headers across multiple targets, making it an essential tool for web application security testing.

Installation

# Kali Linux (pre-installed)
humble --version

# Using pip
pip3 install humble

# From source
git clone https://github.com/rfc-st/humble
cd humble
python3 -m pip install -r requirements.txt
python3 setup.py install

# Verify installation
which humble

Basic Usage

Command Syntax

humble [options] <url>

Simple Header Analysis

Command	Description
humble http://example.com	Analyze headers for single URL
humble https://example.com	Analyze HTTPS URL
humble -h	Display help information
humble --version	Show version number

Basic Examples

# Analyze single website
humble http://example.com

# Analyze HTTPS endpoint
humble https://api.example.com

# Analyze with verbose output
humble -v http://example.com

# Analyze multiple URLs
humble http://example.com https://api.example.com

Common Options

Output and Verbosity

Option	Description	Example
-v	Verbose output	humble -v http://example.com
-j	JSON output format	humble -j http://example.com
-r	Report format	humble -r http://example.com
--no-color	Disable colored output	humble --no-color http://example.com

Request Configuration

Option	Description	Example
-c	Custom cookie	humble -c "name=value" http://example.com
-H	Custom header	humble -H "User-Agent: Custom" http://example.com
-p	Proxy address	humble -p http://127.0.0.1:8080 http://example.com
-t	Request timeout	humble -t 30 http://example.com

Analysis Options

Option	Description	Example
-a	All tests	humble -a http://example.com
--csp	Check CSP headers	humble --csp http://example.com
--hsts	Check HSTS headers	humble --hsts http://example.com
--cors	Check CORS headers	humble --cors http://example.com

Security Headers Analysis

Critical Headers

# Analyze Strict-Transport-Security
humble --hsts https://example.com

# Check Content-Security-Policy
humble --csp http://example.com

# Analyze X-Frame-Options
humble --xfo http://example.com

# Full security header analysis
humble -a https://example.com

Header Details

# Comprehensive header inspection with verbose output
humble -v -a https://example.com

# JSON output for programmatic analysis
humble -j https://example.com > headers.json

# Report mode for documentation
humble -r https://example.com > security_report.txt

Advanced Usage

Bulk URL Analysis

# Create URL list
cat > urls.txt << EOF
http://example.com
http://subdomain.example.com
https://api.example.com
https://admin.example.com
EOF

# Analyze each URL
while read url; do
  echo "=== $url ==="
  humble -j "$url"
done < urls.txt > all_headers.json

Custom Header Injection

# Test with custom authentication
humble -H "Authorization: Bearer token123" https://api.example.com

# Test with custom headers
humble \
  -H "X-Custom-Header: value" \
  -H "X-API-Key: secret" \
  https://api.example.com

Proxy-Based Testing

# Analyze through proxy
humble -p http://127.0.0.1:8080 http://example.com

# Test with Burp Suite
humble -p http://127.0.0.1:8080 http://internal-app.local

# Multiple proxies for load balancer testing
for proxy in 127.0.0.1:8080 127.0.0.1:8081; do
  humble -p http://$proxy http://example.com
done

Security Header Checks

Content Security Policy (CSP)

# Detailed CSP analysis
humble --csp http://example.com

# CSP with verbose output
humble -v --csp https://example.com

# Common CSP issues identified:
# - Missing CSP header
# - Overly permissive directives
# - Deprecated values
# - Wildcard usage

HSTS (Strict-Transport-Security)

# Check HSTS configuration
humble --hsts https://example.com

# Identifies:
# - Missing HSTS header
# - Short max-age values
# - Missing includeSubDomains
# - Missing preload directive

X-Frame-Options (Clickjacking)

# Analyze clickjacking protection
humble --xfo http://example.com

# Checks for:
# - DENY value
# - SAMEORIGIN value
# - Missing header
# - Misconfigured policies

CORS Headers

# Full CORS analysis
humble --cors http://example.com

# Identifies:
# - Wildcard Access-Control-Allow-Origin
# - Missing Vary header
# - Overly permissive credentials
# - Invalid CORS directives

Reconnaissance Workflows

Web Application Security Assessment

# Enumerate all URLs and analyze headers
subfinder -d target.com -silent | httprobe | while read url; do
  humble -j "$url" >> headers_report.json
done

# Parse results
jq . headers_report.json | less

API Security Analysis

# Discover API endpoints
curl -s https://api.target.com/swagger.json | jq '.paths | keys[]'

# Analyze each endpoint
curl -s https://api.target.com/swagger.json | jq -r '.paths | keys[]' | while read path; do
  url="https://api.target.com$path"
  humble -j "$url"
done

Bug Bounty Program Testing

# Comprehensive header security assessment
for domain in $(cat scope.txt); do
  echo "Testing: $domain"
  humble -v -a "https://$domain"
  echo "---"
done > bug_bounty_headers.txt

# Extract issues
grep -i "warning\|error\|vulnerable" bug_bounty_headers.txt

Practical Examples

Example 1: Single URL Analysis

# Basic analysis
humble https://example.com

# Output includes:
# ✓ HSTS Header: Present
# ✗ CSP Header: Missing
# ✓ X-Frame-Options: DENY
# ⚠ X-Content-Type-Options: Warning

Example 2: JSON Report Generation

# Generate JSON output
humble -j https://target.com > header_analysis.json

# Format and view
jq . header_analysis.json

# Extract specific checks
jq '.checks[] | select(.status=="fail")' header_analysis.json

Example 3: Bulk Assessment

# Create target list
echo -e "https://app1.com\nhttps://app2.com\nhttps://app3.com" > targets.txt

# Analyze all targets
for url in $(cat targets.txt); do
  echo "Scanning: $url"
  humble -v "$url" >> bulk_analysis.txt
done

# Summary report
grep -E "✓|✗|⚠" bulk_analysis.txt | sort | uniq -c

Example 4: Vulnerability Identification

# Run comprehensive analysis
humble -a -j https://vulnerable-app.com > vuln_headers.json

# Extract failed checks
jq '.[] | select(.status=="fail") | .header' vuln_headers.json

# Generate remediation list
jq '.[] | select(.status=="fail") | "\(.header): \(.recommendation)"' vuln_headers.json

Header Remediation Guidance

Common Findings and Fixes

# Missing HSTS
# Remediation:
# Add to web server:
# Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

# Missing CSP
# Remediation:
# Content-Security-Policy: default-src 'self'; script-src 'self'

# Missing X-Frame-Options
# Remediation:
# X-Frame-Options: DENY

# Missing X-Content-Type-Options
# Remediation:
# X-Content-Type-Options: nosniff

Integration with Other Tools

Burp Suite Integration

# Export from Burp and analyze
humble -p http://127.0.0.1:8080 http://example.com

# Intercept and modify requests
# Then run humble for header analysis

Scanning Multiple Endpoints

# Use with httpx for URL discovery
echo "https://example.com" | httpx -H "GET" | while read url; do
  humble -j "$url"
done > comprehensive_headers.json

Automated Security Testing

# Pipe humble into analysis pipeline
for url in $(cat scope.txt); do
  humble -j "$url" | jq '.[] | select(.status=="fail")'
done | tee failures.json

Output Formats

Standard Output

[*] Analyzing: https://example.com
[+] Status: 200 OK
[+] Server: nginx/1.18.0

Headers Analysis:
  ✓ HSTS: Present and valid
  ✗ CSP: Missing
  ✓ X-Frame-Options: DENY
  ⚠ X-Content-Type-Options: Missing
  ✗ Referrer-Policy: Missing

JSON Output

{
  "url": "https://example.com",
  "status": 200,
  "checks": [
    {
      "header": "HSTS",
      "status": "pass",
      "message": "Header present"
    },
    {
      "header": "CSP",
      "status": "fail",
      "recommendation": "Add Content-Security-Policy header"
    }
  ]
}

Troubleshooting

Issue	Solution
Connection timeout	Increase timeout: humble -t 60 http://example.com
SSL certificate error	Check certificate validity or use HTTP
Proxy errors	Verify proxy address and port
Empty results	Check URL accessibility and network connectivity
Header parsing fails	Try verbose mode: humble -v http://example.com

Security Testing Best Practices

Assessment Checklist

• Analyze all in-scope URLs
• Test both HTTP and HTTPS endpoints
• Verify header consistency across endpoints
• Document all missing security headers
• Create remediation plan with priorities
• Retest after fixes are applied

Example Assessment Script

#!/bin/bash
# Security header assessment script

TARGET=$1
OUTPUT="header_assessment_$(date +%s).txt"

echo "Analyzing: $TARGET" | tee $OUTPUT
echo "Date: $(date)" | tee -a $OUTPUT
echo "---" | tee -a $OUTPUT

# Analyze target
humble -a -j "https://$TARGET" | tee -a $OUTPUT

# Extract findings
echo "FINDINGS:" | tee -a $OUTPUT
jq '.[] | select(.status=="fail") | .recommendation' $OUTPUT | tee -a $OUTPUT

echo "Report saved to: $OUTPUT"

Legal and Authorization

• Explicit Permission: Only analyze headers for systems you own or have written authorization to test
• Scope: Adhere to defined testing scope and boundaries
• Documentation: Keep detailed records of all assessments
• Remediation Tracking: Document and follow up on remediation efforts

Related Tools

• curl: HTTP client for header inspection
• nc/ncat: Manual HTTP testing
• Burp Suite: Professional web security testing
• OWASP ZAP: Automated web security scanning
• httpx: Fast HTTP probe and response capture
• sectoolkit: Security header checking tool