feat: Add Security Headers Analyzer feature

[CryptoMaN-Rahul]

---

feat: Add Comprehensive Security Headers Analyzer

📝 Overview

This PR introduces a comprehensive Security Headers Analyzer feature for rep+ that provides real-time evaluation of HTTP security headers in captured responses. The feature helps security researchers, developers, and compliance auditors quickly assess the security posture of web applications without requiring external tools.

🚀 Key Features

🔍 Core Analysis Engine

• 11 Security Headers Analyzed: Deep inspection of:
  • Content-Security-Policy (CSP)
  • Strict-Transport-Security (HSTS)
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy
  • X-XSS-Protection
  • Set-Cookie
  • Cross-Origin-Opener-Policy (COOP)
  • Cross-Origin-Embedder-Policy (COEP)
  • Cross-Origin-Resource-Policy (CORP)
• Smart Detection: Identifies unsafe CSP directives (e.g., unsafe-inline, unsafe-eval), validates HSTS max-age requirements, and checks cookie security attributes (Secure, HttpOnly, SameSite).
• Actionable Remediation: Provides specific guidance on how to fix missing or misconfigured headers.
• Performance: Automatic real-time analysis when responses are selected, with sub-100ms performance.

📊 Visual Security Assessment

• Scoring System: 0-100 point scoring system with configurable deduction rules.
• Letter Grades: A+ to F grading with color-coded indicators (🟢 Green / 🟡 Yellow / 🔴 Red).
• Visual Indicators: Request list now displays colored security badges for quick identification of vulnerable endpoints.
• Detailed Findings: Results categorized as Secure ✅, Warnings ⚠️, or Missing ❌.

📦 Bulk Operations

• Analyze All: Bulk analysis of all captured requests with progress tracking.
• Summary Reports: Aggregates data to show grade distribution, common issues, and best/worst performers.
• Batch Processing: Optimized processing with 16ms delays to prevent UI blocking during large datasets.

💾 Export & Data

• Multiple Formats: Built-in support for JSON, Markdown, and CSV exports.
• Compliance Reports: Generates structured reports suitable for audits and documentation.
• Copy Functionality: One-click copying of recommended header values.
• Persistence: Security data is integrated into the app's import/export system for data persistence.

🏗️ Technical Implementation

Architecture

• Modular Design: Self-contained feature located in js/features/security-headers/.
• Event-Driven: Uses EventBus for decoupled communication between the analyzer and the UI.
• Caching Strategy: Implemented LRU caching with header content hashing to optimize performance.
• Memory Efficient: Minimal memory footprint with automatic cleanup mechanisms.

File Structure

js/features/security-headers/
├── index.js          # Entry point and event handling
├── analyzer.js       # Core analysis logic
├── rules.js          # Security header rules engine
├── ui.js             # UI rendering and DOM manipulation
├── export.js         # Export format generators (JSON/MD/CSV)
├── bulk.js           # Bulk analysis functionality
├── cache.js          # Performance caching system
└── indicators.js     # Request list security badges

tests/security-headers.test.js  # Comprehensive test suite

UI Integration

• New Security Tab: Added to response pane alongside Pretty, Raw, Hex, Json, Preview.
• Request List: Injected security score badges into the request rows.
• Bulk Analysis Modal: New modal with progress bars and summary statistics.
• Export Controls: Dropdown menus added for report format selection.

🧪 Testing

• Comprehensive Test Suite: Added 62 security-specific tests.
• Coverage: 100% core coverage for analysis logic, scoring algorithms, and export functions.
• Edge Cases: Tests included for malformed headers, empty responses, and error conditions.
• Performance: Validated caching mechanisms and bulk processing speed.

# Run the test suite
npm test
# Result: All 229 tests pass (including 62 new security tests)

🎯 Use Cases

User Persona	Benefit
Security Researchers	Quick security posture assessment during bug bounty hunting; identification of missing headers.
Developers	Real-time security feedback during development loops.
Auditors	Generation of structured security reports for documentation.

🔄 Backward Compatibility

• Non-Breaking: All existing functionality is preserved.
• On-Demand: Security analysis logic only triggers when the Security tab is active or Bulk Analysis is requested.
• Async: Analysis runs asynchronously to ensure no main-thread blocking.

🚦 Testing Instructions

1. Load the extension in Chrome DevTools.
2. Capture HTTP requests on any website (e.g., github.com or a vulnerable test site).
3. Select a request that contains response headers.
4. Click the newly added Security tab to view the analysis, score, and grade.
5. Click the "Analyze All" button to test bulk processing.
6. Use the Export dropdown to generate a Markdown report.

---

Closes: Security analysis requirements for HTTP response evaluation
Implements: Real-time security posture assessment for web applications

[CryptoMaN-Rahul]

PR #64

[bscript]

This is great, let me test it and get back to you 🕶️