mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.86k stars 170 forks source link

[!IMPORTANT]

⚠️ Deprecation Announcement for Mozilla HTTP Observatory

Dear Mozilla Observatory Users,

This code repository is now deprecated. There is a Node/Javascript based replacement available, that has updated scoring and backs the HTTP Observatory service on MDN.

🛠️ What This Means

  • No Further Updates: We will no longer be providing updates, bug fixes, or new features for this repository.
  • Limited Support: Official support will be discontinued.
  • Archival: The repository will be archived soon, making it read-only.

🔍 Alternatives and Recommendations

We recommend transitioning to HTTP Observatory, maintained by MDN.

📦 Migration Guide

To assist you in transitioning, we have prepared a Migration Guide that covers steps to migrate your existing setup to the alternative.

Mozilla HTTP Observatory

The Mozilla HTTP Observatory is a set of tools to analyze your website and inform you if you are utilizing the many available methods to secure it.

It is split into three projects:

Scanning sites with the HTTP Observatory

Sites can be scanned using:

Development

Prerequisites

Notes

These instructions assume that you have a working Python3.11 development environment with pip installed and capable of building requirements, which may require installing an additional python OS package (-dev, -devel).

# Clone the code
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
# Install poetry
$ pip install poetry
# Install the project dependencies and scripts
$ poetry install
# Activate the virtual environment
$ poetry shell
# Install the pre-commit hooks
$ pre-commit install
# copy and edit the config file
$ cp httpobs/conf/httpobs.conf ~/.httpobs.conf
$ nano ~/.httpobs.conf
# start the dev server
$ httpobs-server

Running tests

nosetests httpobs/tests --with-coverage --cover-package=httpobs

Running a scan from the local codebase, without DB, for continuous integration

# Install the HTTP Observatory
$ git clone https://github.com/mozilla/http-observatory.git
$ cd http-observatory
$ pip install poetry
$ poetry install

Using the scanner function calls

>>> from httpobs.scanner import scan
>>> scan('observatory.mozilla.org')  # a scan with default options
>>> scan('observatory.mozilla.org',  # all the custom options
         http_port=8080,             # http server runs on port 8080
         https_port=8443,            # https server runs on port 8443
         path='/foo/bar',            # don't scan /, instead scan /foo/bar
         cookies={'foo': 'bar'},     # set the "foo" cookie to "bar"
         headers={'X-Foo': 'bar'},   # send an X-Foo: bar HTTP header
         verify=False)               # treat self-signed certs as valid for tests like HSTS

The same, but with the local CLI

$ poetry shell
$ httpobs-local-scan --http-port 8080 --https-port 8443 --path '/foo/bar' \
    --cookies '{"foo": "bar"}' --headers '{"X-Foo": "bar"}' --no-verify mozilla.org

Authors

License