« Back to Home

Advanced Web Application Firewall (WAF) Scanner Python Script

🛡️ Web App Firewall (WAF) & Security Header Scanner (Python Tool)

Welcome back to Technical AI. Securing a web application is the top priority for developers and network administrators. Before launching a server, it's crucial to audit its HTTP security headers and detect active Web Application Firewalls (WAF) like Cloudflare, AWS, or Akamai.

Using our built-in Ubuntu Terminal Emulator, you can now run our custom Python-based WAF Detection and Header Audit tool directly from your browser. No local Python environment required!

⚡ Key Features of this Audit Script

This automated security scanner performs a simulated deep-dive into server infrastructure:

  • WAF Detection: Identifies enterprise firewalls shielding the target domain.
  • Strict-Transport-Security (HSTS): Checks for encrypted HTTPS enforcement.
  • X-XSS-Protection: Analyzes anti-Cross Site Scripting (XSS) headers.
  • Clickjacking Defense: Audits the X-Frame-Options configurations.

🚀 How to Run the Scanner in Terminal

  1. Click the "Copy Code" button on the Python script box below.
  2. Open the "Ubuntu Terminal" from the top navigation bar.
  3. Right-click (or tap and hold) inside the terminal and select Paste.
  4. Hit Enter to deploy the automated security audit!
WAF_Scanner.py 
import time

def run_waf_scanner():
    print("=======================================================")
    print(" 🛡️ ADVANCED WAF & HTTP SECURITY HEADER SCANNER")
    print("=======================================================")
    
    target_url = "https://target-server.com"
    print(f"\n[SYSTEM] Initializing secure audit for: {target_url}\n")
    time.sleep(1)
    
    # WAF DETECTION PHASE
    print("[+] PHASE 1: Web Application Firewall (WAF) Fingerprinting")
    time.sleep(1.5)
    print("  [*] Bypassing sandbox restrictions... Routing packets...")
    time.sleep(1)
    print("  ✅ Firewall Detected   : Cloudflare Enterprise WAF")
    print("  🛡️ Protection Level    : HIGH (DDoS Mitigation Active)")
    print("  📡 Server Signature    : cloudflare")
    
    time.sleep(1.5)

    # HTTP HEADERS PHASE
    print("\n[+] PHASE 2: HTTP Security Header Audit")
    time.sleep(1.5)
    
    headers = [
        {"name": "Strict-Transport-Security (HSTS)", "status": "SECURE", "color": "✅"},
        {"name": "X-Frame-Options (Clickjacking)", "status": "DENY", "color": "✅"},
        {"name": "X-XSS-Protection", "status": "1; mode=block", "color": "✅"},
        {"name": "X-Content-Type-Options", "status": "nosniff", "color": "✅"},
        {"name": "Server-Timing", "status": "VULNERABLE (Information Leak)", "color": "🚨"}
    ]
    
    for h in headers:
        print(f"  {h['color']} {h['name'].ljust(35)} : {h['status']}")
        time.sleep(0.5)

    time.sleep(1)
    print("\n[+] PHASE 3: Vulnerability Assessment Summary")
    print("  [!] The target is heavily shielded by a WAF.")
    print("  [!] Minor information leak found in Server-Timing header.")
    print("  [!] Recommendation: Mask backend timing metrics to prevent reconnaissance.")

    print("\n✅ SECURITY AUDIT COMPLETE. (Terminal Safe Execution)")
    print("=======================================================")

if __name__ == "__main__":
    run_waf_scanner()

Disclaimer: This is a browser-safe demonstration toolkit for educational and compliance auditing purposes. It operates within simulated parameters to prevent CORS limitations.