http_diff
Diff two HTTP responses to detect security-relevant changes: status transitions, header and cookie attribute diffs, and body changes with error hints.
Instructions
Diff two HTTP responses with security-relevant findings.
Inputs may be raw HTTP response strings (status line + headers + body)
or dicts shaped {"status": int, "headers": list|dict, "body": str}.
Reports:
status transitions classed as auth-bypass-likely / idor-possible / etc.
header diffs with security-header and auth-header tagging
cookie attribute diffs (HttpOnly / Secure / SameSite removal flagged high)
body diff: size, content-type shift, error-leak hints, unified diff excerpt
Stateless. Two inputs in, one report out.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| response_a | Yes | ||
| response_b | Yes |