Add New Module: HTTP Security Headers Detection

[lvb05]

Feature Request: Add HTTP Security Headers Detection Module

I would like to propose adding a small new module to Nettacker that checks for common web security headers. Missing headers are a frequent security misconfiguration and are easy to detect with a lightweight HTTP check.

Proposed Behavior

For each target URL:

• Send a simple HTTP GET request
• Check for the presence of important security headers:
  • Strict-Transport-Security
  • X-Frame-Options
  • Content-Security-Policy
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
• Report which headers are missing or misconfigured

Output Example

The module would return:

• target URL
• header name
• present/missing
• details if applicable

Why This Helps

• Very common security issue
• Complements existing HTTP modules
• Quick to scan and lightweight
• Useful for automation and baseline security checks

Implementation Plan

If the maintainers approve, I can work on:

• Creating the module under modules/
• Writing the core header-detection logic
• Integrating with Nettacker reporting format
• Adding simple unit tests
• Updating documentation

Please let me know if this would be a valuable addition. I would be happy to implement it.

[coderabbitai]

📝 CodeRabbit Plan Mode

Generate an implementation plan and prompts that you can use with your favorite coding agent.

• Create Plan

Examples

• Example 1
• Example 2

🔗 Similar Issues

Related Issues

• OWASP/Nest#2118
• OWASP/Nest#2715
• OWASP/Nest#2439
• OWASP/Nest#2809
• OWASP/Nest#2156

🔗 Related PRs

#1107 - [feature] add custom headers for http requests via CLI and remove sensitive headers before adding it to the database [merged]
#1109 - New module to detect PaloAlto GlobalProtect XSS CVE-2025-0133 [merged]
#1124 - New module: crushftp_lastpatcheddate_scan [merged]
#1125 - New module: adobe_aem_lastpatcheddate_scan [merged]
#1126 - New module to detect CrushFTP CVE-2025-31161 [merged]

👤 Suggested Assignees

• securestep9
• rudransh-shrivastava
• aryanguptacsvtu
• debug-soham
• arkid15r

---

🧪 Issue enrichment is currently in early access.

To disable automatic issue enrichment, add the following to your .coderabbit.yaml:

issue_enrichment:
  auto_enrich:
    enabled: false

[pUrGe12]

We have modules for individual vulnerability detection due to these missing headers. For example, modules/vuln/strict_transport_security.yaml. This helps in better separation of their severity.

[lvb05]

Got it, thanks for the clarification.
I understand why these checks are split into individual modules to keep severity and reporting clean. I’ll go through the existing header-related modules to see how they’re structured and what’s already covered.
I’ll follow up with a more aligned proposal after reviewing the current modules.