HTTP Security Analysis

Inputs

Paste a request and optional response. Click Add to Session to append multiple transactions for stronger cache analysis.

HTTP Request

HTTP Response (optional)

Session: 0 transactions

Current Session

View and manage all transactions added so far

Import HAR

Drop a .har, select a file, or paste HAR JSON to import a journey.

Drop HAR file here

Select .har File No file chosen

Findings

Scoring and report-ready actions.

Security Score: —

Cache Analysis

Cache key simulator, collisions, visual graph, poisoning/desync hints.

Key Models

CDN vs Origin proxy

Origin model can ignore tracking params (utm_*, fbclid, gclid).

Ignore tracking params

Visual Cache Graph

CDN key clusters

Nodes = requests. Same-color nodes share the same CDN key hash.

Collisions & Differences

Poisoning & Desync Hints

Differential Analysis (Diff)

Compare two responses with color-coded highlights.

Left (A)

Right (B)

Show changes only

A

B

Payloads

Generate payloads; advanced smuggling variants; copy as cURL per payload.

Step 3: Copy Payloads

Step 4: Paste Raw HTTP Response

Step 5: Analysis Report

Indicators & guidance

Advanced Cookie Analysis

Security and privacy analysis of all captured `Set-Cookie` headers.

CSP Audit & Workshop

Browser CSP v3 audit and interactive CSP/Permissions-Policy builders.

Uses the latest response with a CSP header.

❗ Risk ⚠️ Warn ℹ️ Info ✅ OK

CORS Lab (Preflight Simulator)

Build a synthetic OPTIONS preflight and analyze the real response.

Preflight Builder

Parsed requests

Scheme

Host

Path

Origin preset

Origin

AC-Request-Method

Expect credentials

Common headers (adds to ACRH)

Authorization Content-Type X-Requested-With X-CSRF-Token

AC-Request-Headers (extra, comma)

Raw preflight request

cURL

Analyze Response

Report

Project

Autosave to localStorage; Export/Import JSON for sharing.

Import Project

Session autosaves on change.

Report

Download Markdown or PDF with all findings and scores.

Ensure you analyzed inputs first.