Odin: HTTP Security Header Linter

INDEX

• ABOUT
• ENVIRONMENT
• HOW TO USE
• For Developers
• BApp Store Acceptance Criteria Self-Check

---

ABOUT

Odin is a Burp Suite extension that passively inspects HTTP traffic and reports missing or misconfigured security headers.

It works with both Community and Professional editions via the Montoya API. Findings appear automatically as you browse — no manual triggering required.

• Proxy > HTTP history — color-coded highlight and note on each flagged request
• Extensions > Odin > Output — full findings log

What Odin checks

Category	Headers / Attributes
CORS	Access-Control-Allow-Origin, Access-Control-Allow-Credentials, Access-Control-Allow-Methods, Access-Control-Allow-Headers
Cookie attributes	Secure, HttpOnly, SameSite, Expires / Max-Age, Path, Domain
Security headers	X-Content-Type-Options, Strict-Transport-Security, X-Frame-Options / CSP frame-ancestors, Content-Security-Policy, Referrer-Policy, Permissions-Policy

Findings Reference

Note: Severity levels are based on the author's personal judgment — none of the referenced sources assign explicit severity ratings. If you disagree, feel free to open an issue or fork and tweak the values to suit your needs.

Severity	Category	Trigger condition	Example (response header)	Reference
HIGH	CORS	ACAO reflects the request Origin	Access-Control-Allow-Origin: https://evil.com (mirrors Origin: https://evil.com)	OWASP
HIGH	CORS	ACAO reflects Origin and ACAC: true	Access-Control-Allow-Origin: https://evil.com Access-Control-Allow-Credentials: true	OWASP
HIGH	CORS	ACAO: * and ACAC: true	Access-Control-Allow-Origin: * Access-Control-Allow-Credentials: true	OWASP
MEDIUM	CORS	ACAO: *	Access-Control-Allow-Origin: *	OWASP
MEDIUM	Cookie	HTTPS response, Set-Cookie has no Secure	Set-Cookie: session=abc; HttpOnly	MDN
MEDIUM	Cookie	SameSite=None without Secure	Set-Cookie: session=abc; SameSite=None	MDN
MEDIUM	Security	HTTPS response, Strict-Transport-Security absent	(header absent)	MDN
LOW	CORS	ACAM contains PUT, DELETE, or PATCH	Access-Control-Allow-Methods: GET, POST, PUT, DELETE	OWASP
LOW	Cookie	Set-Cookie has no HttpOnly	Set-Cookie: session=abc; Secure	MDN
LOW	Cookie	Set-Cookie has no SameSite	Set-Cookie: session=abc; Secure; HttpOnly	MDN
LOW	Cookie	SameSite=None (even with Secure)	Set-Cookie: session=abc; Secure; SameSite=None	MDN
LOW	Security	X-Frame-Options absent and CSP has no frame-ancestors	(both absent, or CSP present but without frame-ancestors)	MDN
LOW	Security	Content-Security-Policy absent	(header absent)	OWASP
LOW	Security	X-Content-Type-Options absent	(header absent)	MDN
LOW	Security	X-Content-Type-Options value is not nosniff	X-Content-Type-Options: sniff	MDN
LOW	Security	max-age < 31536000 (1 year)	Strict-Transport-Security: max-age=3600	MDN
LOW	Security	Referrer-Policy is unsafe-url or no-referrer-when-downgrade	Referrer-Policy: unsafe-url Referrer-Policy: no-referrer-when-downgrade	MDN
INFORMATION	Cookie	Set-Cookie has neither Expires nor Max-Age	Set-Cookie: session=abc; Secure; HttpOnly	MDN
INFORMATION	Cookie	Set-Cookie has Path=/	Set-Cookie: session=abc; Path=/	MDN
INFORMATION	Cookie	Set-Cookie has a Domain= attribute	Set-Cookie: session=abc; Domain=.example.com	MDN
INFORMATION	Security	Strict-Transport-Security has no includeSubDomains	Strict-Transport-Security: max-age=31536000	MDN
INFORMATION	Security	Referrer-Policy absent	(header absent)	MDN
INFORMATION	Security	Permissions-Policy absent	(header absent)	MDN
LOW	CORS	ACAH: *	Access-Control-Allow-Headers: *	OWASP

---

ENVIRONMENT

• Nix Flake
  • Java: 21
  • Gradle: 8.7
    • montoya-api: 2026.2
    • Shadow plugin: 8.3.5 (com.gradleup.shadow)
    • jacoco
• tested on Burp Suite Community Edition 2026.2.3 Linux(x64)

---

HOW TO USE

1. Build the JAR (or download a release):

   ./gradlew shadowJar
   # Output: build/libs/odin-0.0.1.jar

   [!NOTE] You can download .jar from latest Releases

2. Open Burp Suite and go to Extensions > Add.

   • Extension type: Java
   • Select file: build/libs/odin-0.0.1.jar

3. Browse the target application through Burp Proxy as usual.

4. Check findings in Proxy > HTTP history (color-coded highlights and notes) or Extensions > Odin > Output (full log).

Note

Odin only performs passive analysis on already-captured traffic. It never sends additional requests to the target.

---

For Developers

Setup

# Enter the dev shell (provides Java 21 + Gradle automatically via direnv)
direnv allow
# or manually:
nix develop

Build

./gradlew shadowJar
# Output: build/libs/odin-0.0.1.jar

Format

./gradlew fmt

Release

1. Update the version in build.gradle.kts.

2. Update any version strings in README.md (JAR filename examples).

3. Run tests and build the JAR:

   ./gradlew test shadowJar

4. Commit the version bump:

   git add build.gradle.kts README.md
   git commit -m "Release vX.Y.Z"

5. Create a tag and push:

   git tag vX.Y.Z
   git push
   git push --tags

---

BApp Store acceptance criteria (self check)

This extension is designed to meet the acceptance criteria for the BApp Store.

1. It performs a unique function

Yes. There is no existing BApp that performs comprehensive passive linting of security response headers (CORS, Cookie attributes, HSTS, CSP, Referrer-Policy, Permissions-Policy) as scanner issues in a single extension.

2. It has a clear, descriptive name

Yes. The extension name is set to Odin - Security Header Linter and clearly describes its function.

3. It operates securely

Yes.

• All HTTP header values are treated as untrusted input.
• Header values are never directly reflected in output; findings reference only hardcoded IssueDefinition names and static descriptions.
• No eval, reflection, or shell execution of header data.

4. It includes all dependencies

Yes. montoya-api is declared compileOnly (Burp provides it at runtime). All other dependencies are bundled via the Shadow plugin into a single fat JAR. See build.gradle.kts.

5. It uses threads to maintain responsiveness

Yes. handleResponseReceived() is invoked by Burp on its own proxy thread. The extension performs no Swing EDT operations and no blocking I/O.

6. It unloads cleanly

Yes. api.extension().registerUnloadingHandler() is called in OdinExtension.initialize().

7. It uses Burp networking

Out of scope. This extension makes no outbound HTTP requests. It only inspects already-captured traffic.

8. It supports offline working

Yes. The extension operates entirely offline — all checks are pure in-memory analysis of HTTP messages.

9. It can cope with large projects

Yes.

• No long-term references to HttpRequestResponse objects are held.
• Each handleResponseReceived() invocation is stateless.

10. It provides a parent for GUI elements

Out of scope. This extension adds no custom GUI tabs or dialogs. All output is through Burp's native scanner issue panel.

11. Montoya API Artifact Usage

Yes. net.portswigger.burp.extensions:montoya-api is referenced via Gradle as required.

12. Montoya API for AI Functionality

Out of scope. This extension does not use AI features.