Manual Testing Techniques

2 min read Web Security Fundamentals

Manual Testing Techniques

Understanding manual testing methods provides foundational knowledge for security header validation:

Browser Developer Tools Testing

// Browser console security header checker
(function checkSecurityHeaders() {
    const securityHeaders = [
        'content-security-policy',
        'x-content-type-options',
        'x-frame-options',
        'strict-transport-security',
        'referrer-policy',
        'permissions-policy',
        'x-xss-protection'
    ];
    
    fetch(window.location.href)
        .then(response => {
            console.log('Security Headers Report for:', window.location.href);
            console.log('=====================================');
            
            securityHeaders.forEach(header => {
                const value = response.headers.get(header);
                if (value) {
                    console.log(`✓ ${header}: ${value}`);
                } else {
                    console.warn(`✗ ${header}: NOT SET`);
                }
            });
            
            // Check cookies for security attributes
            console.log('\nCookie Security:');
            document.cookie.split(';').forEach(cookie => {
                console.log(`Cookie: ${cookie.trim()}`);
            });
        })
        .catch(error => console.error('Error checking headers:', error));
})();

Command-Line Testing with cURL

#!/bin/bash
# security-headers-test.sh

URL=$1
if [ -z "$URL" ]; then
    echo "Usage: ./security-headers-test.sh <URL>"
    exit 1
fi

echo "Security Headers Test for: $URL"
echo "======================================="

# Fetch headers
HEADERS=$(curl -s -I -X GET "$URL")

# Check individual headers
check_header() {
    HEADER_NAME=$1
    HEADER_PATTERN=$2
    
    if echo "$HEADERS" | grep -i "^$HEADER_PATTERN" > /dev/null; then
        echo "✓ $HEADER_NAME: $(echo "$HEADERS" | grep -i "^$HEADER_PATTERN" | cut -d' ' -f2-)"
    else
        echo "✗ $HEADER_NAME: NOT SET"
    fi
}

check_header "Content-Security-Policy" "content-security-policy:"
check_header "X-Content-Type-Options" "x-content-type-options:"
check_header "X-Frame-Options" "x-frame-options:"
check_header "Strict-Transport-Security" "strict-transport-security:"
check_header "Referrer-Policy" "referrer-policy:"
check_header "Permissions-Policy" "permissions-policy:"

# Check for problematic headers
echo -e "\nProblematic Headers:"
if echo "$HEADERS" | grep -i "^server:" > /dev/null; then
    echo "⚠ Server header exposes version: $(echo "$HEADERS" | grep -i "^server:" | cut -d' ' -f2-)"
fi

if echo "$HEADERS" | grep -i "^x-powered-by:" > /dev/null; then
    echo "⚠ X-Powered-By header present: $(echo "$HEADERS" | grep -i "^x-powered-by:" | cut -d' ' -f2-)"
fi