hstspreload
hstspreload Description
The hstspreload library allows you to check if a site is on the HSTS preload list. The check is performed offline, without using third-party services.
HSTS (short for HTTP Strict Transport Security) is a mechanism that forcibly activates a secure connection via the HTTPS protocol.
There are 2 ways that web browsers can find out that a site uses HSTS:
1) The HTTP header of the web server indicates that this website uses HSTS.
After receiving such a header, the user's web browser remembers that this site uses HSTS and subsequently tries to connect to it only via the HTTPS protocol, prohibiting the use of HTTP.
2) Preload lists that contain sites using HSTS. This list is maintained by Google and is supported by all web browsers. For more information, see the links:
- https://hstspreload.org/
- https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security
Since HSTS preload is in the source code of the Chromium web browser, and the source code of this web browser is open, you can check domains for the presence of HSTS preload using this file.
hstspreload is a Chromium HSTS Preload list as a Python package.
The package provides one function: in_hsts_preload(), which takes an IDNA-encoded host and returns True or False regarding whether this host should be accessed only via HTTPS.
This package is entirely created by an automated script that runs once a month. That is, the data in this package is updated once a month.
The file used as the data source (Base64 encoded file): https://chromium.googlesource.com/chromium/src/+/main/net/http/transport_security_state_static.json?format=TEXT
Homepage: https://github.com/sethmlarson/hstspreload
Author: Seth Michael Larson
License: BSD-3
hstspreload Help
The package provides one function: in_hsts_preload(), which takes an IDNA-encoded host and returns True or False regarding whether the host should only be accessed via HTTPS.
You can import the hstspreload module in a Python script and call the in_hsts_preload() function from there.
So, if the domain being checked is in the HSTS preload list, True will be returned. If the domain is not in the list, False will be returned.
hstspreload Manual
The man page is missing.
hstspreload Usage Example
Create a file hstspreload_checker.py and copy the following content into it:
from sys import argv import hstspreload host = argv[1] print (hstspreload.in_hsts_preload(host))
Run the file as follows:
python hstspreload_checker.py DOMAIN
For example, the following command will check if the domain suip.biz is in the HSTS preload list:
python hstspreload_checker.py suip.biz
More examples of checking:
python hstspreload_checker.py hackware.ru python hstspreload_checker.py youtube.com python hstspreload_checker.py paypal.com python hstspreload_checker.py www.paypal.com
You can also check top-level domains (TLDs):
python hstspreload_checker.py com python hstspreload_checker.py net python hstspreload_checker.py dev python hstspreload_checker.py microsoft python hstspreload_checker.py youtube
If a top-level domain is added to the HSTS preload list, then all second-level and any subdomains will also be accessible only via HTTPS:
python hstspreload_checker.py just.whatever.if.dev
How to install hstspreload
Installation on Kali Linux
You can choose any of the following two installation methods:
#1. Installing with pip:
pip install --break-system-packages hstspreload
To update a package installed in this way, run the command:
pip install --break-system-packages -U hstspreload
#2. Installing from github:
git clone https://github.com/sethmlarson/hstspreload cd hstspreload sudo python setup.py install
To update a package installed this way, run the command:
cd hstspreload git pull sudo python setup.py install
Installation on BlackArch
pikaur -S aur/python-hstspreload
See also: Automatic installation and update of AUR packages
Installation on Debian, Linux Mint, Ubuntu
pip install --break-system-packages hstspreload
To update a package installed this way, run the command:
pip install --break-system-packages -U hstspreload
hstspreload Screenshots
hstspreload Tutorials
- How to check if a website uses HSTS and HSTS preload
- Check if a website uses HSTS and HSTS preload
- Check HSTS preload status
Related tools
- Nmap (100%)
- JARM (100%)
- JA3-JA4-scanner (100%)
- JA3S-JA4S-scanner (100%)
- JA4+ (100%)
- NMBscan (RANDOM - 50%)
Comments are Closed