The tinfoil gem
I attended BSides Vancouver last week (great job everyone!) and Mark Curphey had a good talk (Modern Software is Like Lego & WTF Don't People Use Secure Headers?) containing a statistic on how few websites use secure headers. His company even came up with a Web-based tool to find which websites contain secure headers. I love this idea but I found it lacked in one area: testing sites not publicly addressable on the Web. There are many more internal websites that could be sniffed or exploited inside company networks. So I went about writing a tool called tinfoil that allows anyone to check servers within their network.
Tinfoil is a command-line tool that simply calls out to a web server and checks both SSL and non-SSL ports for the existence of each of the 5 main secure headers. It is a very simple application but extremely useful when you want to run a report over a list of servers.
Head on over to its Github page for more information, installation instructions, and usage examples.