hstspreload

hstspreload Description

The hstspreload library allows you to check if a site is on the HSTS preload list. The check is performed offline, without using third-party services.

HSTS (short for HTTP Strict Transport Security) is a mechanism that forcibly activates a secure connection via the HTTPS protocol.

There are 2 ways that web browsers can find out that a site uses HSTS:

1) The HTTP header of the web server indicates that this website uses HSTS.

After receiving such a header, the user's web browser remembers that this site uses HSTS and subsequently tries to connect to it only via the HTTPS protocol, prohibiting the use of HTTP.

2) Preload lists that contain sites using HSTS. This list is maintained by Google and is supported by all web browsers. For more information, see the links:

Since HSTS preload is in the source code of the Chromium web browser, and the source code of this web browser is open, you can check domains for the presence of HSTS preload using this file.

hstspreload is a Chromium HSTS Preload list as a Python package.

The package provides one function: in_hsts_preload(), which takes an IDNA-encoded host and returns True or False regarding whether this host should be accessed only via HTTPS.

This package is entirely created by an automated script that runs once a month. That is, the data in this package is updated once a month.

The file used as the data source (Base64 encoded file): https://chromium.googlesource.com/chromium/src/+/main/net/http/transport_security_state_static.json?format=TEXT

Homepage: https://github.com/sethmlarson/hstspreload

Author: Seth Michael Larson

License: BSD-3

hstspreload Help

The package provides one function: in_hsts_preload(), which takes an IDNA-encoded host and returns True or False regarding whether the host should only be accessed via HTTPS.

You can import the hstspreload module in a Python script and call the in_hsts_preload() function from there.

So, if the domain being checked is in the HSTS preload list, True will be returned. If the domain is not in the list, False will be returned.

hstspreload Manual

The man page is missing.

hstspreload Usage Example

Create a file hstspreload_checker.py and copy the following content into it:

from sys import argv
import hstspreload

host = argv[1]
print (hstspreload.in_hsts_preload(host))

Run the file as follows:

python hstspreload_checker.py DOMAIN

For example, the following command will check if the domain suip.biz is in the HSTS preload list:

python hstspreload_checker.py suip.biz

More examples of checking:

python hstspreload_checker.py hackware.ru
python hstspreload_checker.py youtube.com
python hstspreload_checker.py paypal.com
python hstspreload_checker.py www.paypal.com

You can also check top-level domains (TLDs):

python hstspreload_checker.py com
python hstspreload_checker.py net
python hstspreload_checker.py dev
python hstspreload_checker.py microsoft
python hstspreload_checker.py youtube

If a top-level domain is added to the HSTS preload list, then all second-level and any subdomains will also be accessible only via HTTPS:

python hstspreload_checker.py just.whatever.if.dev

How to install hstspreload

Installation on Kali Linux

You can choose any of the following two installation methods:

#1. Installing with pip:

pip install --break-system-packages hstspreload

To update a package installed in this way, run the command:

pip install --break-system-packages -U hstspreload

#2. Installing from github:

git clone https://github.com/sethmlarson/hstspreload
cd hstspreload
sudo python setup.py install

To update a package installed this way, run the command:

cd hstspreload
git pull
sudo python setup.py install

Installation on BlackArch

pikaur -S aur/python-hstspreload

See also: Automatic installation and update of AUR packages

Installation on Debian, Linux Mint, Ubuntu

pip install --break-system-packages hstspreload

To update a package installed this way, run the command:

pip install --break-system-packages -U hstspreload

hstspreload Screenshots

hstspreload Tutorials

Related tools

Recommended for you:

Comments are Closed

Рейтинг@Mail.ru