check on http headers

Started by pamsniffer, April 23, 2018, 04:13:37 AM

Previous topic - Next topic

pamsniffer

Hi,
How can I check on http header if for example X-XSS-Protection header exist


thx

PAm

td

It depends on how you are acquiring the webpage in the first place.  For example, if you are using COM Automation and the "WinHttp.WinHttpRequest.5.1" object,  you could use the "GetResponseHeader" or "GetAllResponesHeaders" methods to check for your header of interest.  On the other hand, if you are using the WinInet Extender, you could use the "iHttpHeaders" function to get a complete list of response headers.

If you are accessing the site with some other tool, you will need to use whatever that tool provides for HTTP header examination. 
"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade

td

"No one who sees a peregrine falcon fly can ever forget the beauty and thrill of that flight."
  - Dr. Tom Cade


pamsniffer

Did some coding


       tophandle=iBegin(0,"","")
       connecthandle=iHostConnect(tophandle, "%aline%", @HTTP,"","")
       datahandle=iHttpInit(connecthandle, "GET", "/", "",0)
       rslt=iHttpOpen(datahandle,"", 0, 0)
       headers=iHttpHeaders(datahandle)
       iClose(datahandle)
       iClose(connecthandle)
       iClose(tophandle)
       delay(1)

       ; CHECK IF SERVER IS ON

       if headers == @TAB then exit
       
       ptr=StrIndexNC(headers,"X-XSS-Protection: ",0,@FWDSCAN)
       If ptr != -1
          ptr2=StrIndex(headers,@TAB,ptr,@FWDSCAN)
          If ptr2==0 Then ptr2=StrLen(headers)
          ptr=ptr+StrLen("X-XSS-Protection: ")
          XXS=StrTrim(StrSub(headers,ptr,ptr2-ptr))
          If XXS  <> ""
            XXS="ENABLED"
           Else
            XXS="Disbaled"
          endif
       EndIf
       

thx for the direction

stanl

Out of curiosity..... why are you checking headers instead of error codes?

pamsniffer

I am checking for http security headers to protect the web browerclient.

The program check now on all http security headers.


https://www.keycdn.com/blog/http-security-headers/

Pam