klyrek-headers¶
Status: live on PyPI — pip install klyrek-headers
Passive HTTP security header checks: HSTS, CSP, X-Content-Type-Options, clickjacking protection, Referrer-Policy, Permissions-Policy, information disclosure (Server/X-Powered-By), CORS misconfiguration, and cookie flag checks (Secure/HttpOnly/SameSite).
Real finding this catches on the sandbox's API (api.sandbox.klyrek.com):
{
"title": "CORS wildcard origin combined with allowed credentials",
"severity": "high",
"description": "Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true is a well-known misconfiguration pattern...",
"evidence": ["Access-Control-Allow-Origin: *", "Access-Control-Allow-Credentials: true"],
"module": "klyrek-headers"
}
Access-Control-Allow-Origin: * alone is a LOW finding; combined with Access-Control-Allow-Credentials: true it escalates to HIGH, since that specific combination is a well-documented real-world misconfiguration pattern.
API reference¶
klyrek_headers.checks ¶
Individual HTTP security header checks.
Each check takes an httpx.Response and returns zero or more Finding objects.
Checks are intentionally passive (header inspection only) — they flag configuration
patterns worth a human's attention, not confirmed exploits.
klyrek_headers.analyzer ¶
Run all header checks against a response and collect the resulting Findings.
analyze ¶
Run every registered header check against a response.
endpoint, if given, is attached to each resulting Finding so it can be traced
back to where it was found in a larger ScanResult.