Headers
Security Header Analysis
Checks for missing or misconfigured CSP, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Cookies
Cookie Flag Validation
Inspects all Set-Cookie headers for missing Secure, HttpOnly, and SameSite flags — common bug bounty P3–P4 findings.
CORS
CORS Misconfiguration Detection
Tests for wildcard origins, credential-bearing CORS policies, and origin reflection bugs that could enable cross-origin data theft.
Disclosure
Server & Redirect Chain Analysis
Flags server banner disclosure, X-Powered-By leakage, and follows redirect chains to detect open redirects or mixed-content issues.