Utilising the check-my-headers library, this a check to be used either locally on a machine, or in a GitHub Action.
Install npm package:
npm install -g quick-security-headers-check
Once installed, checks can be made for headers of any URL with the following command:
headers-check https://<VALID_URL>
To uninstall:
npm uninstall -g quick-security-headers-check
On open PR:
- Check headers of a given URL.
- Report back findings to a PR comment.
A working sample of a GitHub Action workflow can be found here.
The below should be placed in a yml file under .github/workflows/security-header-check.yml:
name: security-headers-check
on:
pull_request:
types: [opened]
jobs:
security-headers-check:
runs-on : ubuntu-latest
name : Check headers for violations of security best practises
steps:
- name : Security headers check
id : headerscheck
uses: AudreyBudryte2/security-headers@v2
with:
url: 'https://<CHANGE_ME>'
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
- name: Comment results of security headers check
uses: mb2dev/[email protected]
with:
message: "${{steps.headerscheck.outputs.header-issues}}"
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
Insert the URL that should scanned here:
url: 'https://<CHANGE_ME>'