HTTP Security Assessment
Automated vulnerability detection and security analysis for web applications
Introduction
The HTTP Security Assessment system is the framework's automated vulnerability detection capability that performs deep security analysis of web applications and APIs. It captures complete HTTP transactions, analyzes security headers ?, validates SSL/TLS certificates ?, assesses cookie security, measures performance, and generates comprehensive diagnostic reports.
Key Capabilities
- 35+ Security Checks - Headers, SSL, cookies, CORS, CSP analysis
- Automated Detection - HSTS, XSS protection, clickjacking vulnerabilities
- Performance Profiling - Response times, compression, caching metrics
- Compliance Analysis - PCI-DSS, GDPR, OWASP alignment
- mAi Advisor™ Integration - Actionable, role-specific guidance
- 18 Report Configurations v2.2.0 - 3 depth levels × 6 audience types
- HTML Reports with Help Links v3.0.0 - Dual MD+HTML output with Perplexity.ai
Architecture Components
The HTTP assessment system consists of 6 core components:
| Component | Purpose |
|---|---|
FW_AuditManager | Central audit orchestration hub (singleton) |
FW_Audit_HttpReview | Core HTTP analysis engine (7 phases) |
FW_HttpExecutor | HTTP transaction capture |
FW_Http | HTTP transaction data model (9 sections) |
FW_HttpDiagnosticReporter | HTML/Markdown diagnostic reports |
FW_HttpReporter | Configurable summary reports (v2.2.0) |
FW_HtmlReportGenerator | HTML reports with help links (v3.0.0) |
Analysis Phases
- Network & Geolocation
- TLS & Certificate validation
- Security header analysis
- Cookie security assessment
- Redirect chain inspection
- Performance profiling
- Compliance checking
Report Configuration NEW v2.2.0
The reporting system offers 18 different report configurations through two independent controls.
Report Depth Levels
| Depth | Size | Content | Use Cases |
|---|---|---|---|
| EXECUTIVE | ~1,800 chars, <1 page | Critical/High findings only, top 3 recommendations | Board presentations, executive briefings |
| STANDARD DEFAULT | ~12,000 chars, ~3 pages | All 11 sections, complete findings, mAi Advisor™ | Daily development, security audits |
| COMPREHENSIVE | ~13,000 chars, ~4 pages | All STANDARD + raw request/response data | Debugging, forensic analysis |
Audience Configuration
| Audience | Focus | Receives |
|---|---|---|
| DEVELOPER | Technical implementation | Code examples, testing approaches |
| SECURITY_ENGINEER | Threat analysis | Attack vectors, compliance requirements |
| PROJECT_MANAGER | Planning & coordination | Effort estimates, sprint planning |
| EXECUTIVE | Business impact | Risk assessment, cost estimates |
| OPS_INFRASTRUCTURE | Deployment & operations | Server configs, deployment procedures |
| QA_TESTER | Testing strategies | Test cases, validation procedures |
What Gets Audited
Security Headers (12 Types)
Critical: Strict-Transport-Security (HSTS), Content-Security-Policy (CSP), X-Frame-Options, X-Content-Type-Options
Important: X-XSS-Protection, Referrer-Policy, Permissions-Policy, Cross-Origin-* (CORS)
SSL/TLS Configuration
- Certificate chain integrity and expiration
- TLS protocol version (1.2, 1.3)
- Cipher suite strength
- Self-signed certificate detection
Cookie Security
- Secure flag - HTTPS-only transmission
- HttpOnly flag - JavaScript access prevention
- SameSite policy - CSRF protection
Performance Metrics
| Metric | Good | Warning | Slow |
|---|---|---|---|
| DNS Resolution | <100ms | 100-500ms | >500ms |
| Connection | <200ms | 200-1000ms | >1000ms |
| Time to First Byte | <500ms | 500-2000ms | >2000ms |
Compliance Checking
Standards analyzed: OWASP Top 10 ?, PCI-DSS ?, GDPR ?, NIST TLS standards.
Running HTTP Audits
Using Test Suite (Recommended)
@Test
@Tag("audit")
@DisplayName("TC - Audit - HttpReview - www.saucedemo.com")
public void tc_audit_httpreview_www_saucedemo_com() {
String url = "https://www.saucedemo.com/v1/";
FW_CustomAssertJU.autoPass(
FW_AuditManager.INSTANCE.getAuditHttpReview()
.runAuditHttpReview(url, true)
);
}Using FW_AuditManager API
// Simple audit (default: STANDARD depth, DEVELOPER audience)
FW_AuditManager.INSTANCE.performHttpAudit("https://example.com");
// With verbose output
FW_Http http = FW_AuditManager.INSTANCE.performHttpAudit(
"https://example.com",
true // verbose console output
);
// Access results
System.out.println("Security Score: " + http.getSecurityScore());
System.out.println("Critical Findings: " + http.getCriticalFindingsCount());Configuring Report Depth and Audience
FW_Http http = FW_AuditManager.INSTANCE.performHttpAudit(url, false);
FW_HttpReporter reporter = new FW_HttpReporter();
// Configure depth and audience
reporter.setReportDepth(FW_HttpReporter.ReportDepth.EXECUTIVE);
reporter.setTargetAudience(FW_AdvisorAudience.EXECUTIVE);
// Generate report
String report = reporter.generateReport(http);
// Save to file
Files.write(
Paths.get("target/http-reports/executive-summary.md"),
report.getBytes(StandardCharsets.UTF_8)
);Common Report Configurations
| Purpose | Depth | Audience | Result |
|---|---|---|---|
| Executive Summary | EXECUTIVE | EXECUTIVE | 1-page business impact summary |
| Developer Deep Dive | COMPREHENSIVE | DEVELOPER | 4-page technical analysis with raw data |
| Security Audit | STANDARD | SECURITY_ENGINEER | 3-page security-focused analysis |
| Operations Deployment | STANDARD | OPS_INFRASTRUCTURE | 3-page ops guide with server configs |
| QA Test Planning | STANDARD | QA_TESTER | 3-page testing strategy with test cases |
| Project Planning | STANDARD | PROJECT_MANAGER | 3-page planning guide with effort estimates |
Understanding Reports
Color-Coded Findings
- 🔴 Red (Critical) - Immediate action required
- 🟠 Orange (High) - Address within 1 week
- 🟡 Yellow (Medium) - Address within 1 month
- 🔵 Blue (Low) - Address when convenient
- ⚪ White (Info) - Informational only
ℹ️ Understanding "0 Recommendations"
This is correct behavior, not an error! mAi Advisor™ templates target specific audiences. Some findings primarily affect developers (implementation), so Security/Executive audiences may not get implementation-level recommendations. This ensures relevant guidance only.
Configuration Options
Configure audit behavior in testConfig.properties:
# HTTP Audit Configuration
http.followRedirects=true
http.maxRedirects=10
http.connectionTimeout=30000
http.readTimeout=60000
http.userAgent=Mozilla/5.0 (MissionWares Audit Bot)
# Report Generation
http.generateHtmlReport=true
http.generateMarkdownReport=true
http.reportOutputPath=target/http-reports/
# Report Configuration (NEW in v2.2.0)
http.report.defaultDepth=STANDARD
http.report.defaultAudience=DEVELOPER
# mAi Advisor™ Integration
advisorEnabled=true
advisorDefaultAudience=DEVELOPER
advisorIncludeCodeExamples=trueTroubleshooting
⚠️ Connection timeout
Cause: Target server unreachable. Solution: Increase http.connectionTimeout
⚠️ SSL handshake failed
Cause: Certificate validation failure. Solution: Check certificate chain, update trust store
⚠️ No findings generated
Cause: No security issues detected. Solution: This is good! The site is secure.
⚠️ 0 recommendations
Cause: Audience filtering working correctly. Solution: Expected behavior for coordinator audiences
Debugging Techniques
// Enable verbose output
FW_Http http = FW_AuditManager.INSTANCE.performHttpAudit(url, true);
// Check FW_Http Object
System.out.println("Valid: " + http.isValid());
System.out.println("Complete: " + http.isResponseComplete());
System.out.println("Has Error: " + http.hasError());
// Verify report configuration
System.out.println("Depth: " + reporter.getReportDepth());
System.out.println("Audience: " + reporter.getTargetAudience());Best Practices
Choose Depth Based on Purpose
- EXECUTIVE - Daily standups, quick status checks, leadership briefings
- STANDARD - Sprint reviews, technical discussions, team meetings
- COMPREHENSIVE - Debugging, forensics, compliance documentation
Choose Audience Based on Reader
- DEVELOPER - Implementers who write code
- SECURITY_ENGINEER - Security specialists who assess threats
- PROJECT_MANAGER - Coordinators who plan work
- EXECUTIVE - Leaders who need business context
- OPS_INFRASTRUCTURE - Operators who deploy and maintain
- QA_TESTER - Testers who validate functionality
Related Documentation
| Document | Description |
|---|---|
| mAi Advisor™ Guide | Intelligent recommendations |
| Network Diagnostics | Network testing |
| Test Development | Writing tests |
| Architecture Diagram | Layer 6 details |
| HTTP Audit Pipeline | Visual flow |
HTML Reports with Help Links NEW v3.0.0
The framework now supports dual-mode report generation - producing both Markdown and HTML reports simultaneously. HTML reports feature a modern dark theme, interactive help links powered by Perplexity.ai ?, and topic-based organization.
Enabling HTML Reports
# Report output formats (both can be true for dual output)
reportOutputMarkdown=true # Default: true (backward compatible)
reportOutputHtml=true # Default: false (opt-in)
# Help links configuration
reportHelpLinksEnabled=true # Enable ? icons with Perplexity links
reportHelpLinksProvider=perplexity # AI provider for help queriesHTML Report Features
- Dark Theme - Professional styling with color-coded grades
- Interactive Help Links - Click ? icons for Perplexity.ai explanations
- Topic-Based Organization - 8 self-contained topic sections
- Table of Contents - Clickable navigation with grades and findings counts
- Severity Styling - Color-coded findings (Critical=red, High=orange, Medium=yellow, Low=blue)
Topic-Based Architecture
| Topic | Weight | Description |
|---|---|---|
| 📜 SSL/TLS Certificates | 12.5% | Certificate validity, expiration, signature |
| 🔒 Security Headers | 12.5% | HSTS, CSP, X-Frame-Options, etc. |
| ⚡ Performance | 12.5% | Response times, compression, caching |
| 🌐 DNS & Network | 12.5% | DNS resolution, geolocation |
| 📄 Content Analysis | 12.5% | Content type, body analysis |
| 🔀 Redirects | 12.5% | Redirect chain inspection |
| 🍪 Cookies | 12.5% | Cookie security attributes |
| 🔗 CORS Configuration | 12.5% | Cross-origin policy analysis |
Grading Algorithm
The overall grade is calculated using a weighted average of topic grades:
- A = 95 points, B = 85, C = 75, D = 65, F = 40
- Each topic contributes: (grade points × weight)
- Sum of weighted scores determines overall grade
- Severity-aware topic grading: CRITICAL→F, HIGH→C/D, MEDIUM→A-/B, LOW→A-
Code Example
// Configure reporter for dual output
FW_HttpReporter reporter = new FW_HttpReporter();
reporter.setReportDepth(ReportDepth.COMPREHENSIVE);
reporter.setTargetAudience(FW_AdvisorAudience.SECURITY_ENGINEER);
// Generate both MD and HTML reports
String mdReport = reporter.generateReport(httpTransaction);
String htmlReport = reporter.generateHtmlReport(httpTransaction);What's New in v3.0.0
- HTML Reports with Help Links - Dual-mode MD + HTML output with Perplexity.ai integration
- Topic-Based Architecture - 8 self-contained topic sections with independent grading
- Weighted Grade Calculation - Overall grade reflects topic grades (replaces penalty system)
- Severity-Aware Grading - Topics grade based on CRITICAL, HIGH, MEDIUM, LOW findings
- New Configuration Properties - reportOutputHtml, reportHelpLinksEnabled
What's New in v2.2.0
- Report Depth Levels - 3 configurable depths (EXECUTIVE, STANDARD, COMPREHENSIVE)
- Audience Configuration - 6 audience types supported
- 18 Report Configurations - Any depth + any audience combination
- Enhanced API - New setReportDepth() and setTargetAudience() methods