onionlint is a CLI tool for anonymity risk diagnosis of .onion sites. It performs static checks and Tor-based crawling to detect potential anonymity risks such as external resource loading, tracking headers, insecure cookies, and fingerprinting vectors.
All traffic is routed through Tor to maintain anonymity during scanning.
This project was created to demonstrate and validate the capabilities of tornago, a lightweight Go wrapper around the Tor command-line tool. By building a practical application that leverages Tor's client functionality, we can showcase how tornago enables Go developers to easily integrate Tor-based networking into their applications.
onionlint serves as both a useful security tool and a real-world example of tornago in action - managing Tor daemon lifecycle, routing HTTP traffic through Tor's SOCKS5 proxy, and accessing .onion hidden services programmatically.
Important
Legal Notice: This tool is intended for legitimate purposes only, such as privacy protection, security research, and authorized security auditing activities. Users are solely responsible for ensuring their use of this tool complies with all applicable laws and regulations. Do not use this tool for any illegal activities.
- Anonymity risk detection for .onion sites
- 34 built-in rules across 3 categories (Visitor Protection, Operator Protection, Attack Detection)
- Tor-based crawling with configurable depth
- Multiple output formats (text, JSON, Markdown)
- Configurable rules via YAML configuration file
- Embedded Tor daemon or system Tor support
go install github.com/nao1215/onionlint/cmd/onionlint@latest- Linux
- macOS
- Windows
- Go 1.25 or later
onionlint requires the Tor daemon to be installed on your system when using system Tor mode. The embedded Tor mode will automatically manage the Tor process.
Installation:
# Ubuntu/Debian
sudo apt update
sudo apt install tor
# Fedora/RHEL
sudo dnf install tor
# Arch Linux
sudo pacman -S tor
# macOS (Homebrew)
brew install toronionlint scan http://example.onion/# Scan with increased crawl depth
onionlint scan http://example.onion/ --depth 3
# Output as JSON
onionlint scan http://example.onion/ --format json
# Output as Markdown to file
onionlint scan http://example.onion/ --format md --out report.md
# Use custom configuration
onionlint scan http://example.onion/ --config custom.yml
# Use system Tor instead of embedded
onionlint scan http://example.onion/ --tor-mode systemonionlint rulesonionlint initThis creates a .onionlint.yml file with default settings.
The .onionlint.yml file allows you to customize onionlint behavior:
# Rule configuration
rules:
# Disable specific rules
disable:
- favicon_fingerprint
- update_pattern_leak
# Or enable only specific rules (overrides disable)
# enable:
# - no_external_resources
# - mixed_content_leak
# Severity overrides
severity:
etag_tracking: high
cookie_insecure: low
# Scan settings
scan:
depth: 2
timeout: 60sonionlint includes 34 rules organized into 3 categories:
Rules that protect site visitors from tracking, fingerprinting, and deanonymization.
| Rule ID | Name | Severity | Description |
|---|---|---|---|
no_external_resources |
No External Resources | HIGH | Detects loading of external resources (scripts, stylesheets, images) from non-.onion domains that could leak user information |
etag_tracking |
ETag Tracking Risk | MEDIUM | Detects ETag headers that could be used to track users across sessions |
csp_missing |
Missing Content Security Policy | MEDIUM | Detects missing Content-Security-Policy header that helps prevent unauthorized resource loading |
cookie_insecure |
Insecure Cookie Configuration | MEDIUM | Detects cookies without Secure, HttpOnly, or SameSite attributes that could compromise user anonymity |
favicon_fingerprint |
Favicon Fingerprinting Risk | LOW | Detects favicon usage that could allow site identification through favicon hash fingerprinting |
session_linkability |
Session Linkability | HIGH | Detects persistent session identifiers that could enable user tracking and deanonymization |
static_asset_fingerprint |
Static Asset Fingerprint | MEDIUM | Detects unique hashes or version strings in static asset URLs that could identify the operator's environment |
mixed_content_leak |
Mixed Content Leak | HIGH | Detects clearnet resources (images, videos, iframes) that leak visitor IP addresses |
cors_deanonymization |
CORS Deanonymization | HIGH | Detects CORS configurations that could allow external sites to track or identify users |
hsts_fingerprint_link |
HSTS Fingerprint Link | MEDIUM | Detects HSTS configurations that could link .onion identity to clearnet mirrors or enable supercookie tracking |
Rules that protect site operators from identification and correlation attacks.
| Rule ID | Name | Severity | Description |
|---|---|---|---|
custom_header_exposure |
Custom Header Exposure | HIGH | Detects custom HTTP headers that could reveal server infrastructure or operator identity |
error_disclosure |
Error Disclosure | HIGH | Detects error pages and stack traces that expose server paths, framework info, or operator identity |
mirror_correlation |
Mirror Correlation | HIGH | Detects indicators that could correlate this .onion site with a clearnet mirror |
asset_host_fingerprint |
Asset Host Fingerprint | HIGH | Detects external asset hosting services that could reveal operator account or identity |
contact_identity_leak |
Contact Identity Leak | HIGH | Detects contact information that could reveal operator identity (non-anonymous email, social profiles) |
debug_artifact_exposure |
Debug Artifact Exposure | HIGH | Detects debug artifacts, development comments, and source maps that expose development environment |
unique_framework_fingerprint |
Unique Framework Fingerprint | MEDIUM | Detects rare frameworks, CMS versions, or unique generator signatures that could identify operator |
server_timing_disclosure |
Server-Timing Disclosure | HIGH | Detects Server-Timing headers that expose internal service names, database queries, or infrastructure details |
clearnet_auth_dependency |
Clearnet Auth Dependency | HIGH | Detects authentication dependencies on clearnet OAuth providers, captcha services, or identity verification |
hosting_provider_leak |
Hosting Provider Leak | HIGH | Detects HTTP headers or content that reveal hosting provider, CDN, or infrastructure vendor |
locale_timezone_leak |
Locale/Timezone Leak | MEDIUM | Detects date formats, timezone indicators, or locale-specific content that reveals operator location |
behavioral_timing_correlation |
Behavioral Timing Correlation | HIGH | Detects response timing patterns that could reveal operator timezone, manual operations, or 'home server' characteristics |
update_pattern_leak |
Update Pattern Leak | LOW | Detects content update cycles (RSS feeds, timestamps) that could reveal operator timezone or lifestyle patterns |
self_host_correlator |
Self-Referential Host Leak | HIGH | Detects clearnet domain references in comments, old sitemaps, or JavaScript that could correlate the .onion with a clearnet identity |
linguistic_identity_leak |
Linguistic Identity Leak | MEDIUM | Detects language patterns, machine translation artifacts, and linguistic fingerprints that could reveal operator's native language or region |
cross_correlation_identity |
Cross-Correlation Identity Analysis | HIGH | Performs cross-correlation analysis combining favicon, CMS, assets, headers, and content patterns to calculate operator identity exposure probability |
regional_framework_correlation |
Regional Framework Correlation | HIGH | Detects region-specific CSS/JS frameworks, CDNs, or library forks that could indicate operator's geographic region |
media_metadata_exposure |
Media Metadata Exposure | HIGH | Detects EXIF and other metadata in images/videos that could expose GPS coordinates, device info, timestamps, or author names |
Rules that detect potential attacks against site visitors.
| Rule ID | Name | Severity | Description |
|---|---|---|---|
js_obfuscation |
Suspicious JavaScript Obfuscation | HIGH | Detects obfuscated JavaScript patterns commonly used to hide malicious code such as credential stealers or exploit kits |
form_action_leak |
Form Data Leak to External URL | HIGH | Detects HTML forms that submit data to non-.onion URLs, which could leak sensitive information and deanonymize users |
webrtc_leak |
WebRTC IP Leak Risk | HIGH | Detects WebRTC API usage that can leak your real IP address even when using Tor, bypassing proxy settings |
canvas_fingerprint |
Canvas/WebGL/Audio Fingerprinting | HIGH | Detects browser fingerprinting techniques using Canvas, WebGL, or AudioContext APIs that can uniquely identify users |
suspicious_redirect |
Suspicious External Redirect | HIGH | Detects automatic redirects to non-.onion URLs via meta refresh, JavaScript, or HTTP headers that could deanonymize users |
hidden_iframe |
Hidden or Suspicious Iframe | HIGH | Detects hidden iframes (0x0 size, visibility:hidden, off-screen) that may be used for clickjacking, drive-by downloads, or IP leaking |
Scan Results for: http://example.onion/
Resources scanned: 5
Issues found: 3 (High: 2, Medium: 1, Low: 0)
[1] HIGH
Rule: no_external_resources
Message: External script loaded from clearnet
URL: http://example.onion/
Details: External resource 'https://cdn.example.com/script.js' loaded
onionlint scan http://example.onion/ --format json{
"url": "http://example.onion/",
"resource_count": 5,
"issues": [...],
"summary": {
"high": 2,
"medium": 1,
"low": 0,
"total": 3
}
}onionlint scan http://example.onion/ --format md --out report.mdContributions are welcome! Please see the Contributing Guide for more details.
First off, thanks for taking the time to contribute! Contributions are not only related to development. For example, GitHub Star motivates me to develop!
If you would like to send comments such as "find a bug" or "request for additional features" to the developer, please use one of the following contacts.
If you find this project useful, please consider:
- Giving it a star on GitHub - it helps others discover the project
- Becoming a sponsor - your support keeps the project alive and motivates continued development
Your support, whether through stars, sponsorships, or contributions, is what drives this project forward. Thank you!
The onionlint project is licensed under the terms of MIT LICENSE.