Validate HTTP response headers against OWASP Secure Headers defaults, plus optional custom rules.

Build locally:

go build ./cmd/hippo

Run without installing:

go run ./cmd/hippo --help

Run tests:

go test ./...

Check a URL with defaults:

hippo check https://example.com

Check with custom rules (JSON or YAML):

hippo check https://example.com --rules ./rules.yaml

Disable defaults and use only custom rules:

hippo check https://example.com --no-defaults --rules ./rules.json

JSON output:

hippo check https://example.com --output json

Disable colorized screen output:

hippo check https://example.com --no-color

Generate a template rules file:

hippo template --out ./rules.yaml

hippo check <url> [--rules path] [--no-defaults] [--output screen|text|json] [--no-color] [--method HEAD|GET] [--timeout 10s]

hippo template [--out path] [--format json|yaml]

Rules are provided as JSON or YAML. The structure is:

• require: list of required headers with name, value, and match.
• forbid: list of header names that must not appear.

Match modes:

• exact (default)
• contains
• regex

When you provide --rules along with defaults:

• require rules are merged by header name (case-insensitive). A custom rule with the same header name replaces the default rule.
• forbid rules are merged as a set (case-insensitive). Custom entries add to the list; duplicates are de-duplicated.

When you pass --no-defaults, only the custom rules file is used.