Use default scheme if non supplied

nicoSWD · Apr 22, 2019 · 6723a42 · 6723a42
1 parent 5615a0a
commit 6723a42
Show file tree

Hide file tree

Showing 3 changed files with 35 additions and 11 deletions.
diff --git a/README.md b/README.md
@@ -1,12 +1,24 @@
-# headsec (beta)
+# headsec (&beta;)
 [![Build Status](https://travis-ci.org/nicoSWD/headsec.svg?branch=master)](https://travis-ci.org/nicoSWD/headsec)
 [![Scrutinizer Code Quality](https://scrutinizer-ci.com/g/nicoSWD/headsec/badges/quality-score.png?b=master)](https://scrutinizer-ci.com/g/nicoSWD/headsec/?branch=master)
 
-Test a site's HTTP headers for possible security issues
+Test a site's HTTP headers for possible security issues. This is a little like Scott Helme's [SecurityHeaders.com](https://securityheaders.com/),
+but it can be run locally
+
+![screenshot](screenshots/screenshot.gif)
 
 **Basic usage**
+
+This will analise the headers returned by the supplied URL and print the results. By default, non-security headers
+are omitted in the output, but can be printed as well by passing the `--show-all-headers` flag (or `-a`)
 ```shell
-headsec https://www.target.com
+headsec google.com
+```
+
+By default it'll follow redirects and only print the results of the last URL. To stop following redirects, pass
+the `--ignore-redirects` flag (or `-r`)
+```shell
+headsec google.com --ignore-redirects
 ```
 
 **Advanced usage**
@@ -17,10 +29,6 @@ of the like, you can use `curl` and pipe the result to `headsec`
 curl https://yahoo.com/ --head -sS | headsec
 ```
 
-**Screenshot**
-
-![screenshot](screenshots/screenshot.gif)
-
 **Installation**
 
 ```shell

diff --git a/build/.gitkeep b/build/.gitkeep
diff --git a/src/Domain/URL/URL.php b/src/Domain/URL/URL.php
@@ -14,7 +14,7 @@ final class URL
     private const SCHEME_HTTPS = 'https';
     private const SCHEME_HTTP = 'http';
 
-    private const ALLOWED_PROTOCOLS = [
+    private const ALLOWED_SCHEMES = [
         self::SCHEME_HTTP,
         self::SCHEME_HTTPS,
     ];
@@ -24,6 +24,10 @@ final class URL
 
     public function __construct(string $url)
     {
+        if (!$this->urlHasScheme($url)) {
+            $url = sprintf('http://%s', $url);
+        }
+
         if (!$this->isValid($url)) {
             throw new Exception\InvalidUrlException();
         }
@@ -86,12 +90,24 @@ private function isValid(string $url): bool
             return false;
         }
 
-        $this->components = parse_url($url);
+        $components = parse_url($url);
 
-        if (!isset($this->components['scheme'], $this->components['host'])) {
+        if (!isset($components['host'], $components['scheme']) || !$this->isAllowedScheme($components['scheme'])) {
             return false;
         }
 
-        return in_array($this->components['scheme'], self::ALLOWED_PROTOCOLS, true);
+        $this->components = $components;
+
+        return true;
+    }
+
+    private function isAllowedScheme(string $scheme): bool
+    {
+        return in_array($scheme, self::ALLOWED_SCHEMES, true);
+    }
+
+    private function urlHasScheme(string $url): bool
+    {
+        return preg_match('~^[a-z][a-z\d\-\.]*://~i', $url) === 1;
     }
 }