██████╗ ██████╗ ██████╗ ███████╗ █████╗ ██╗██████╗
██╔════╝██╔═══██╗██╔══██╗██╔════╝██╔══██╗██║██╔══██╗
██║ ██║ ██║██████╔╝███████╗███████║██║██████╔╝
██║ ██║ ██║██╔══██╗╚════██║██╔══██║██║██╔══██╗
╚██████╗╚██████╔╝██║ ██║███████║██║ ██║██║██║ ██║
╚═════╝ ╚═════╝ ╚═╝ ╚═╝╚══════╝╚═╝ ╚═╝╚═╝╚═╝ ╚═╝
HTTP Security Header Scanner & Analyzer
A comprehensive security scanner with HTTP header analysis, TLS/SSL auditing, CVE correlation, technology fingerprinting, and AI-powered remediation. Built for the 2026 threat landscape.
- 60+ Header Checks - CSP, HSTS, COOP, COEP, CORP, Permissions-Policy, and more
- TLS/SSL Auditing - Protocol versions, cipher suites, certificate validation, and vulnerability detection (Heartbleed, ROBOT, CRIME, and more)
- Web Cache Poisoning Detection - CDN fingerprinting, unkeyed header probing, CPDoS detection, and cache oracle analysis
- 1,200+ Fingerprinting Signatures - Detect servers, CDNs, WAFs, and frameworks
- CVE Correlation - Map misconfigurations to known vulnerabilities with CISA KEV integration
- Compliance Mapping - OWASP Top 10 2025, PCI-DSS 4.0, NIST SP 800-52r2, SOC 2
- Historical Tracking - Monitor security posture changes with drift detection
- AI Integration - MCP server for Claude/GPT-powered remediation
- Multiple Outputs - Console, JSON, HTML, SARIF (GitHub Code Scanning)
# From source
git clone https://github.com/fevra-dev/Corsair.git
cd corsair
pip install -e .
# With TLS/SSL auditing
pip install -e ".[tls]"
# With all features (includes TLS)
pip install -e ".[full]"
# With MCP/AI integration (Python 3.10+)
pip install -e ".[mcp]"Note: TLS auditing uses sslyze (AGPL-3.0), which is kept as an optional dependency to preserve Corsair's MIT license.
# Scan a URL
corsair scan https://example.com
# Scan multiple URLs
corsair scan https://google.com https://github.com
# Output as SARIF for GitHub
corsair scan https://example.com --output sarif --out-file results.sarif
# Save to history and track changes
corsair scan https://example.com --save-history
corsair compare https://example.com
# View scan history
corsair history https://example.comfrom corsair import HeadScanner
scanner = HeadScanner()
result = scanner.scan_target("https://example.com")
print(f"Score: {result.score}/100 ({result.grade})")
print(f"Critical Issues: {result.critical_count}")
for finding in result.findings:
print(f"[{finding.severity.name}] {finding.title}")# GitHub Actions
- run: pip install corsair-scan
- run: |
corsair scan https://your-site.com \
--output sarif \
--out-file results.sarif \
--min-score 70
- uses: github/codeql-action/upload-sarif@v3
with:
sarif_file: results.sarif| Code | Meaning |
|---|---|
| 0 | Score >= 80 (Good) |
| 1 | Score >= 50 (Needs improvement) |
| 2 | Score < 50 (Critical issues) |
| 3 | Error |
Security: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy
Cross-Origin Isolation: Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, Cross-Origin-Resource-Policy, Origin-Agent-Cluster
Cookies: Secure, HttpOnly, SameSite, __Host- prefix, __Secure- prefix
Information Disclosure: Server, X-Powered-By, X-AspNet-Version
When sslyze is installed, Corsair automatically audits TLS configuration on HTTPS targets. 25 checks across four categories:
Protocols: SSLv2 (DROWN), SSLv3 (POODLE), TLS 1.0 (BEAST), TLS 1.1, TLS 1.3 support
Cipher Suites: RC4, 3DES (Sweet32), NULL, EXPORT (LOGJAM), forward secrecy, weak DH parameters
Certificates: Expiry, hostname mismatch, self-signed, weak signatures (SHA-1/MD5), short keys, OCSP stapling
Vulnerabilities: Heartbleed (CVE-2014-0160), ROBOT, CCS Injection (CVE-2014-0224), TLS compression (CRIME), missing FALLBACK_SCSV
TLS findings deduct from the same 0-100 score as header findings. A site with perfect headers but broken TLS will get a bad grade.
Corsair automatically tests for web cache poisoning vulnerabilities on all targets. 16 checks across three categories:
Passive: Missing Vary: Origin, public caching of authenticated content, unkeyed query strings, permissive cache TTLs
Active (Canary Injection): Probes 16 unkeyed headers (X-Forwarded-Host, X-Original-URL, etc.) using a 3-phase canary injection protocol that safely detects whether injected values persist in cached responses
CPDoS: Tests for Cache Poisoning Denial of Service via oversized headers, malformed headers, and method override headers
Active probing uses cache busters to isolate test requests and includes a safety abort if any canary leaks into the live cache. Disable active probing with --no-cache-probe.
| Grade | Score | Description |
|---|---|---|
| A | 90-100 | Excellent |
| B | 80-89 | Good |
| C | 70-79 | Fair |
| D | 60-69 | Poor |
| F | 0-59 | Critical |
Detection gaps closed:
WCP_ALT_SVC_POISONING(HIGH): Alt-Svc cache poisoning via unkeyed header — HTTP/3 cross-protocol vector where attacker pins victim browsers to a malicious QUIC endpoint.WCP_SET_COOKIE_POISONING(HIGH): Set-Cookie cache poisoning via unkeyed header — session fixation and cookie injection via cached response headers.
Correctness:
is_cachednow falls back to Age-increment evidence when cache-status headers are absent.query_string_keyedis now conservative (Optional[bool]). AkamaiX-Cache-Keyis parsed as an authoritative signal for cache-key composition.WCP_CACHE_KEYING_UNDETERMINED(INFO) fires when keying cannot be confirmed; active probing is skipped in that state to avoid inadvertent live-cache poisoning.
Spec compliance:
- Active probing is preemptively cancelled when live poisoning is confirmed (was: cooperative, allowed 4 in-flight probes to complete).
Fevra - GitHub
MIT