obfus.link

Header Inspector parses raw HTTP response headers into a normalized map and produces an OWASP Security Scorecard. The scorecard grades HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy from A to F. A CORS analyzer parses Access-Control headers and flags the wildcard origin plus credentials combination, which the CORS specification forbids.

Tier 2analyzers✓ TDD Verified

Header Inspector

OWASP-graded HTTP security headers scorecard with CORS issue detection

Grades HSTS, CSP, X-Frame, X-Content-Type, Referrer-Policy, Permissions-Policy

How to use

  1. Get the headersCopy the response headers from your browser's Network tab, from curl -I, or from your server logs.
  2. Paste them inOne header per line in "Name: value" format. The HTTP/1.1 status line is ignored if included.
  3. Toggle scorecardLeave OWASP scorecard ON to grade the security posture. Turn off for parser-only mode.
  4. RunClick Inspect or press Ctrl+Enter. The overall grade, per-category cards, CORS report, and remediation checklist appear in the output.
  5. Read the remediation checklistAlready ordered by impact — fix the F items first. Each entry is a concrete recommendation you can paste into a PR or runbook.
Read technical article

MCP / API

Call header_inspector directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "header_inspector",
  arguments: {
    "headersRaw": "...",
    "scorecard": false
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"header_inspector","arguments":{"headersRaw":"...","scorecard":false}}}'

Related tools

JWT Hardener
Audit and harden JWT tokens with security scoring and diff output
Password Entropy
Score password strength and audit policy compliance against NIST 800-63B
HMAC Generator
Generate and verify HMAC signatures with Stripe, GitHub, Twilio, Shopify, Slack templates

FAQ

What does the wildcard-plus-credentials CORS issue mean?

Access-Control-Allow-Origin: * combined with Access-Control-Allow-Credentials: true is forbidden by the CORS specification. Browsers reject the response entirely — the request silently fails. When credentials are required, replace the wildcard with an explicit origin or origin allowlist.

How is the overall grade calculated?

Each of 6 categories (HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy) gets a per-category grade A-F worth 15/12/9/6/0 points. The total maps to a percentage and then to a letter: 95+ A+, 85+ A, 75+ B, 65+ C, 50+ D, below 50 F.

Why is my CSP graded C even though I have it set?

Most likely the CSP contains "unsafe-inline" or "unsafe-eval", which effectively disable XSS protection. Replace them with nonces or hashes for required inline scripts. The category card recommendation tells you exactly which directive to fix.

Do I need both X-Frame-Options and CSP frame-ancestors?

CSP frame-ancestors is the modern equivalent and is preferred. X-Frame-Options remains useful for legacy browser support (notably older IE/Edge versions). The scorecard accepts either, but having both gives the best coverage.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.