Your HTTP is leaking.
HTTPLint seals it.

Find insecure connections, CORS wildcards, missing security headers, cookie vulnerabilities, caching issues, and error response leaks — before they reach production.

Get Started Free Get Pro
$ clawhub install httplint click to copy
httplint scan
$ httplint scan ./src
🌐 HTTPLint v1.0.0
 
Scanning 136 files across 7 directories...
 
  server/cors.ts:18
    ✗ [CRITICAL] HS-001: CORS Access-Control-Allow-Origin set to wildcard (*)
    → Restrict to specific origins — wildcards allow any site to read responses
 
  auth/session.js:42
    ✗ [CRITICAL] CK-003: Session cookie missing Secure and HttpOnly flags
    → Set Secure, HttpOnly, and SameSite=Strict to prevent session hijacking
 
  middleware/error-handler.py:31
    ⚠ [HIGH] ER-002: Stack trace exposed in error response body
    → Return generic error messages in production — stack traces reveal internals
 
  config/headers.ts:5
    ● [MEDIUM] CH-001: Missing Content-Security-Policy header
    → Add CSP header to prevent XSS and data injection attacks
 
  api/client.go:88
    ○ [LOW] HC-005: HTTP client missing request timeout
    → Set explicit timeout to prevent hanging connections
 
  ────────────────────────────────────────────────
  Files scanned: 136  |  Issues: 2 critical  1 high  1 medium  1 low
  Score: 41/100 (Grade: F)
 
  Run httplint scan --fix to apply auto-fixes, or httplint report for full HTML report.

Misconfigured HTTP doesn't fail — it exposes everything.

CORS set to wildcard. Session cookies without Secure flag. Stack traces in error responses. Missing Content-Security-Policy. Your API works perfectly — and every response leaks data to attackers. HTTPLint scans your entire codebase for HTTP security misconfigurations so your web layer actually defends when it matters.

90
Detection patterns
6
Check categories
All
Languages supported
100%
Local — zero telemetry

What HTTPLint Catches

90 checks across 6 categories, covering every aspect of HTTP security and configuration.

HC
📤

HTTP Client

Detects insecure HTTP connections without TLS, disabled certificate verification, missing request timeouts, unvalidated redirect following, and plaintext credential transmission.

15 checks
HS
🖥

HTTP Server

Catches CORS wildcard origins, open redirect vulnerabilities, server version disclosure, directory listing exposure, and information leakage through verbose headers.

15 checks
CK
🍪

Cookie & Session

Finds session cookies missing Secure, HttpOnly, or SameSite flags, weak session secret keys, predictable session IDs, and overly permissive cookie domain/path scoping.

15 checks
CH
🛡

Caching & Headers

Detects missing Content-Security-Policy, absent X-Frame-Options, no Strict-Transport-Security, improper Cache-Control on sensitive responses, and missing X-Content-Type-Options.

15 checks
RH
📥

Request Handling

Catches unvalidated user input passed to HTTP responses, eval of request parameters, missing input size limits, unescaped query parameters in templates, and SSRF patterns.

15 checks
ER

Error & Response

Finds stack trace leaks in error responses, database error messages exposed to clients, wrong HTTP status codes, debug mode enabled in production, and verbose error formatting.

15 checks

HTTPLint vs. Manual Review vs. Generic Linters

Purpose-built HTTP security analysis beats guesswork every time.

Capability Manual Review HTTPLint Generic Linters
CORS misconfiguration Inconsistent 90 patterns Basic (1-2)
Security header validation Checklist-based ✓ Automated
Cookie security analysis Often missed ✓ 15 checks
Error response auditing Runtime only ✓ Static analysis
TLS/connection checks Manual review ✓ Context-aware
SSRF detection Expert required ✓ Pattern matching
Remediation guidance None Per-finding fixes Generic docs
Scan time (1000 files) Hours/Days < 5 seconds Minutes
Zero false positive mode N/A
CI/CD integration ✓ SARIF
Privacy (no upload) ✓ 100% local Varies

Simple, transparent pricing

Start scanning for free. Upgrade when your HTTP security demands it.

Free
$0/mo
For solo developers who want basic HTTP security checks.
  • 30 detection checks
  • HTTP Client (HC) category
  • HTTP Server (HS) category
  • Terminal report output
  • Basic scoring & grading
  • Community support
Install Free
Pro
$19/mo
For developers shipping secure HTTP services.
  • 60 detection checks
  • Everything in Free
  • Cookie & Session (CK) category
  • Caching & Headers (CH) category
  • JSON & HTML reports
  • Auto-fix suggestions
  • Email support
Get Pro
Team
$39/mo
For teams enforcing HTTP security standards across services.
  • All 90 detection checks
  • Everything in Pro
  • Request Handling (RH) category
  • Error & Response (ER) category
  • CI/CD integration & SARIF
  • Custom rule definitions
  • Priority support
Get Team

Get notified about updates

No spam. One email per week max. Unsubscribe anytime.

Your HTTP layer is your attack surface

Install HTTPLint in 30 seconds. Find every CORS wildcard, missing header, and cookie vulnerability before attackers do it for you.

$ clawhub install httplint click to copy