HTTP headers play a crucial role in web security, yet they are often overlooked. Misconfigured or missing HTTP security headers can expose your web application to attacks like host header injection, XSS, clickjacking, and MIME sniffing.
In this comprehensive guide, we’ll walk you through how to test HTTP header security using Kali Linux tools such as Curl, WhatWeb, Nikto, and Burp Suite. Whether you’re an ethical hacker, bug bounty hunter, or IT admin, this tutorial will help you check security headers effectively.
For more cybersecurity insights, visit FaizanTech Core.
Table of Contents
- What Are HTTP Headers?
- Why You Must Test HTTP Header Security
- Step 1: View Raw Headers with Curl
- HTTP Header Security Analysis
- Step 2: Use WhatWeb for Technology Fingerprinting
- WhatWeb Scan Analysis Report
- Step 3: Scan with Nikto for Missing Security Headers
- Step 4: Intercept and Test with Burp Suite
- Bonus: Online Tools to Check Security Headers
- Tools Used in This Guide
- Conclusion
What Are HTTP Headers?
Before diving into testing, let’s understand what HTTP headers are.
HTTP Headers Explained
HTTP headers are key-value pairs sent between a web server and a client (browser). They control:
- Content types & encoding
- Caching policies
- Security protections (CSP, HSTS, X-Frame-Options)
- Session management (Cookies, Authorization)
Why HTTP Header Security Matters
A missing HTTP security headers vulnerability can lead to:
- Information leaks (server version, software details)
- Cross-Site Scripting (XSS) via unsafe content policies
- Clickjacking due to missing
X-Frame-Options - Host header injection attacks (improper redirects)
Testing headers security ensures your web app isn’t exposed to these risks.
Why You Must Test HTTP Header Security
Attackers exploit weak HTTP header security to:
✔ Bypass security controls (CORS misconfigurations)
✔ Steal session tokens (insecure Set-Cookie flags)
✔ Perform phishing via Host header injection
✔ Trigger MIME-based attacks (missing X-Content-Type-Options)
By checking security headers, you can prevent these exploits.
Step 1: View Raw Headers with Curl
Curl is a command-line tool to fetch HTTP responses. Use it to check security headers quickly.
Command:
curl -I http://testphp.vulnweb.com/test.php
HTTP Header Security Analysis
Target: http://testphp.vulnweb.com/test.php
Server IP: 44.228.249.3
Web Server: nginx/1.19.0
Backend: PHP/5.6.40
Status Code: 404 Not Found
Identified Risks
1. Exposed Server Version
- Header:
Server: nginx/1.19.0 - Risk: Reveals exact web server version. Attackers can match known vulnerabilities with this version.
- Fix: Configure web server to hide the
Serverheader or replace it with a generic name.
2. Exposed PHP Version
- Header:
X-Powered-By: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1 - Risk: PHP 5.6 is end-of-life (EOL) and contains unpatched critical vulnerabilities, such as Remote Code Execution (RCE) and SQL injection flaws.
- Fix: Upgrade to a supported PHP version (e.g., PHP 8.1 or higher) and remove the
X-Powered-Byheader.
3. Information Disclosure on Error Pages
- Issue: Even on a
404 Not Foundpage, the server leaks detailed header information. - Risk: Helps attackers fingerprint the environment even when resources are missing.
- Fix: Customize 404 error pages to remove unnecessary headers.
Best Practices (Recommendations)
| Action | Recommendation |
|---|---|
| Hide Technology Stack | Disable Server and X-Powered-By headers in server config |
| Upgrade Outdated Software | Replace PHP 5.6 with a currently supported and secure version |
| Implement Security Headers | Add headers like X-Frame-Options, X-Content-Type-Options, Content-Security-Policy |
| Sanitize Error Responses | Configure friendly 404 pages that don’t reveal internal details |
Reference Resources
Step 2: Use WhatWeb for Technology Fingerprinting
WhatWeb scans websites to detect backend technologies, helping identify outdated software.
Command:
whatweb http://testphp.vulnweb.com/test.php
WhatWeb Scan Analysis Report
Target URL: http://testphp.vulnweb.com/test.php
HTTP Status: 404 Not Found
IP Address: 44.228.249.3
Country: United States (US)
Web Server: nginx/1.19.0
Backend Language: PHP/5.6.40
X-Powered-By Header: PHP/5.6.40-38+ubuntu20.04.1+deb.sury.org+1
Identified Security Issues
1. Outdated Web Server (nginx/1.19.0)
- Risk: Nginx 1.19.0 was released in 2020 and is no longer maintained. Older versions may contain unpatched vulnerabilities like memory corruption, denial of service (DoS), or unauthorized access issues.
- Recommendation: Upgrade to the latest stable Nginx release and apply regular security patches.
2. End-of-Life PHP Version (5.6.40)
- Risk: PHP 5.6 reached EOL in January 2019. It’s no longer receiving security updates, exposing the server to known critical vulnerabilities (RCE, SQLi, memory issues).
- Recommendation: Upgrade to a currently supported PHP version (e.g., 8.1 or higher).
3. Leaking Technology Stack via Headers
- Header:
X-Powered-By: PHP/5.6.40... - Risk: Revealing internal tech details like PHP versions helps attackers fingerprint the environment and search for known exploits.
- Recommendation: Suppress or modify
X-Powered-ByandServerheaders. Use configuration files to disable header disclosure:- PHP:
expose_php = Off - Nginx:
server_tokens off;
- PHP:
4. 404 Page Leaking Sensitive Info
- Observation: Although the requested page does not exist (404), headers still disclose full server and PHP version details.
- Risk: Even non-existing pages give away environment data, which attackers can use to plan further attacks.
- Recommendation: Customize 404 pages to avoid revealing sensitive server information.
Overall Security Rating: Low to Medium
Your application is exposing outdated and potentially vulnerable components through its HTTP headers. This increases the attack surface and aids in reconnaissance during the early stages of a cyberattack.
Recommended Immediate Actions
| # | Action | Description |
|---|---|---|
| 1 | Upgrade PHP | Move from PHP 5.6 to PHP 8.1+ to reduce exposure to known vulnerabilities. |
| 2 | Update Nginx | Upgrade to the latest secure version (as of now, 1.24.0+) |
| 3 | Hide Headers | Disable or sanitize Server and X-Powered-By headers |
| 4 | Harden Error Pages | Ensure 404 and 500 error pages do not leak backend info |
| 5 | Implement HTTP Security Headers | Add X-Frame-Options, X-Content-Type-Options, Referrer-Policy, etc. |
Further Reading
Step 3: Scan with Nikto for Missing Security Headers
Nikto is a web server scanner that detects header vulnerabilities.
Command:
nikto -h http://testphp.vulnweb.com/test.php
Nikto Web Vulnerability Scan Report
Target: http://testphp.vulnweb.com/test.php
IP Address: 44.228.249.3
Web Server: nginx/1.19.0
Backend: PHP/5.6.40
Scan Tool: Nikto v2.5.0
Scan Duration: 118 seconds
Status: Completed with 3 findings and 20 errors
Key Vulnerabilities Identified
- Missing X-Frame-Options Header
- Issue: This anti-clickjacking header is not set.
- Risk: Allows the site to be embedded in an iframe, making it vulnerable to clickjacking attacks.
- Fix: Add the header: mathematicaCopyEdit
X-Frame-Options: SAMEORIGIN
- Missing X-Content-Type-Options Header
- Issue: This header prevents browsers from MIME-sniffing a response away from the declared content-type.
- Risk: Could allow execution of malicious scripts by interpreting files incorrectly.
- Fix: Add the header: pgsqlCopyEdit
X-Content-Type-Options: nosniff
- Exposed X-Powered-By Header
- Info: Reveals backend version —
PHP/5.6.40(end-of-life). - Risk: Discloses software version info, aiding attackers in identifying known exploits.
- Fix: Remove or suppress
X-Powered-Byheader in PHP config (expose_php = Off).
- Info: Reveals backend version —
Other Notes
- No CGI directories found – good from a security standpoint.
- 20 errors reported – likely due to rate limiting, network issues, or malformed responses.
Recommended Actions
| Issue | Priority | Action |
|---|---|---|
| Missing security headers | High | Add X-Frame-Options, X-Content-Type-Options |
| Exposed PHP version | High | Upgrade to PHP 8.1+ and hide version info |
| Outdated server software | Medium | Upgrade nginx to a supported version |
| Error limit reached | Medium | Rerun scan with throttling (-Tuning option) |
Step 4: Intercept and Test with Burp Suite
Burp Suite is a powerful tool that helps you manually test for HTTP header security flaws, such as unauthorized access to admin areas via header manipulation.
Steps to Perform the Test:
- Configure Burp Proxy
- Set your browser to use Burp’s proxy (default:
127.0.0.1:8080).
- Set your browser to use Burp’s proxy (default:
- Visit the Target Site
- Open
http://testphp.vulnweb.comin your browser. - Burp will intercept the HTTP request.
- Open
- Intercept and Modify Headers
- In Proxy > Intercept, modify the request like this:
GET / HTTP/1.1 Host: testphp.vulnweb.com X-Original-URL: /admin.php- Forward the modified request.
- Review the Server Response
- In HTTP History, check if the server responded with the admin panel page (status 200 OK with admin content).
Risk Identified:
- If the server accepts
X-Original-URLand returns/admin.php, it confirms a header injection / access control bypass vulnerability. - Attackers can gain access to restricted admin pages without proper authentication.
Bonus: Online Tools to Check Security Headers
For quick scans, use:
These tools check security headers and grade your site’s HTTP header security.
Tools Used in This Guide
| Tool | Purpose |
|---|---|
| Curl | View raw HTTP headers |
| WhatWeb | Detect server & tech stack |
| Nikto | Scan for missing security headers |
| Burp Suite | Manual header testing & injection |
Conclusion
Testing HTTP header security is essential to prevent attacks like host header injection, XSS, and clickjacking. Using Kali Linux tools, you can:
✔ Detect missing security headers
✔ Check for outdated server versions
✔ Test header injection vulnerabilities
Next Steps:
- Enforce
Content-Security-Policy(CSP) - Add
X-Frame-Options: DENY - Enable
Strict-Transport-Security(HSTS)
For more penetration testing guides, visit FaizanTech Core.
