whatisgithub

What is htrace.sh?

trimstray/htrace.sh — explained in plain English

Analysis updated 2026-06-26

3,854ShellAudience · ops devopsComplexity · 2/5LicenseSetup · easy

In one sentence

A command-line shell tool for inspecting websites, checking HTTP headers, SSL certificates, redirects, and security scores, with optional integration into external scanners like SSL Labs and nmap.

Mindmap

mindmap
  root((htrace.sh))
    What it does
      HTTP inspection
      SSL certificate check
      Security header audit
    Features
      Redirect tracing
      WAF detection
      Subdomain enum
      HTTP/2 test
    Tech Stack
      Bash shell
      Docker image
      External scanners
    Audience
      DevOps engineers
      Security auditors
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check the HTTP security headers and SSL certificate details of a website from the command line in one command.

USE CASE 2

Scan a site for mixed content issues, web application firewalls, and SSL protocol strength.

USE CASE 3

Enumerate subdomains of a target domain during a security audit.

USE CASE 4

Test whether a server supports HTTP/2 and which SSL ciphers it accepts.

What is it built with?

BashShellDocker

How does it compare?

trimstray/htrace.shmedicean/vulappsjonmosco/kube-ps1
Stars3,8543,7853,783
LanguageShellShellShell
Setup difficultyeasymoderateeasy
Complexity2/52/51/5
Audienceops devopsresearcherops devops

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Docker image available for cleanest setup, native install requires external tool dependencies on Debian/Ubuntu/macOS.

Free to use and modify, but any software you distribute that includes this code must also be released under GPL v3.

So what is it?

htrace.sh is a command-line tool for diagnosing and inspecting websites, specifically how they respond over HTTP and HTTPS. You give it a URL and it tells you what the server is doing: what headers it sends back, whether it redirects you, what SSL certificate details it has, and what the response body looks like. It is aimed at developers and system administrators who want a fast, all-in-one way to check a website without opening a browser or writing custom scripts. Beyond basic inspection, the tool ties into several well-known external security scanners. You can run SSL protocol and cipher tests, check Mozilla's security header grader, scan for mixed content issues, probe with network scanning scripts, detect web application firewalls, enumerate subdomains, and test HTTP/2 support. Each of these is available as a separate flag, or you can run all scans at once with a single option. Installation is done by cloning the repository and running a setup script. The tool also comes with a Docker image if you prefer not to install dependencies on your local machine. It runs on Debian, Ubuntu, and macOS, though the README recommends using the Docker image for the cleanest experience since the external tools have their own dependencies. The license is GPLv3, meaning it is free to use and modify. The project has a wiki for more detailed documentation, and the tool itself includes a built-in examples flag that shows common usage patterns right in the terminal.

Copy-paste prompts

Prompt 1
I want to audit example.com for missing security headers and weak SSL config using htrace.sh. Show me the exact command to run all checks at once and what each result section means.
Prompt 2
Using htrace.sh, how do I check whether a site redirects HTTP to HTTPS correctly and whether the SSL certificate is valid and not expiring soon?
Prompt 3
I want to run htrace.sh via Docker so I do not need to install external dependencies on my Mac. Give me the exact docker run command to scan a URL and see the output.
Prompt 4
Explain what the WAF detection flag in htrace.sh does and what it tells me about whether a web application firewall is sitting in front of the server I am scanning.

Frequently asked questions

What is htrace.sh?

A command-line shell tool for inspecting websites, checking HTTP headers, SSL certificates, redirects, and security scores, with optional integration into external scanners like SSL Labs and nmap.

What language is htrace.sh written in?

Mainly Shell. The stack also includes Bash, Shell, Docker.

What license does htrace.sh use?

Free to use and modify, but any software you distribute that includes this code must also be released under GPL v3.

How hard is htrace.sh to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is htrace.sh for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.